CVE-2021-27230 – This vulnerability allows authenticated users w... (How to Fix)

Q: How do I fix CVE-2021-27230?

1. Backup your site and database. 2. Update to ExpressionEngine 5.4.2 or 6.0.3 via admin panel or manual download. 3. Clear cache. 4. Verify update completed successfully.

Q: What is the severity of CVE-2021-27230?

CVE-2021-27230 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users with translation permissions to inject arbitrary PHP code into language files in ExpressionEngine CMS. Successful exploitation leads to remote code execution on the web server. All ExpressionEngine installations with vulnerable versions and authenticated users having translation access are affected.

📋 TL;DR

This vulnerability allows authenticated users with translation permissions to inject arbitrary PHP code into language files in ExpressionEngine CMS. Successful exploitation leads to remote code execution on the web server. All ExpressionEngine installations with vulnerable versions and authenticated users having translation access are affected.

💻 Affected Systems

Products:

ExpressionEngine CMS

Versions: ExpressionEngine <5.4.2, ExpressionEngine 6.x <6.0.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with translation permissions. Default installations include translation capabilities.

📦 What is this software?

Expressionengine by Expressionengine

View all CVEs affecting Expressionengine →

Expressionengine by Expressionengine

View all CVEs affecting Expressionengine →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, malware deployment, lateral movement to other systems, and complete site defacement.

🟠

Likely Case

Attacker gains web server user privileges, can read/write files, execute commands, and potentially escalate to higher privileges.

🟢

If Mitigated

With proper access controls limiting translation permissions, impact is reduced to authorized users only, but still dangerous if those accounts are compromised.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access. Public exploit code available on Packet Storm and other sources.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ExpressionEngine 5.4.2, ExpressionEngine 6.0.3

Vendor Advisory: https://expressionengine.com/features

Restart Required: No

Instructions:

1. Backup your site and database. 2. Update to ExpressionEngine 5.4.2 or 6.0.3 via admin panel or manual download. 3. Clear cache. 4. Verify update completed successfully.

🔧 Temporary Workarounds

Restrict Translation Permissions

all

Remove translation permissions from all non-essential users to limit attack surface.

File System Permissions

linux

Set read-only permissions on system/user/language directory to prevent file writes.

chmod -R 444 /path/to/system/user/language

🧯 If You Can't Patch

Immediately remove translation permissions from all users except absolutely necessary administrators.
Implement web application firewall rules to block requests to Translate::save() function from non-privileged users.

🔍 How to Verify

Check if Vulnerable:

Check ExpressionEngine version in admin panel or via system/ee/legacy/config/version.php file.

Check Version:

cat /path/to/system/ee/legacy/config/version.php | grep "app_version"

Verify Fix Applied:

Confirm version is 5.4.2 or higher for EE5, or 6.0.3 or higher for EE6.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to translation endpoints
File writes to _lang.php files in system/user/language directory
Suspicious PHP code in language files

Network Indicators:

HTTP requests containing PHP code in translation parameters
Unusual file upload patterns to language directories

SIEM Query:

source="web_logs" AND (uri="/admin.php?/cp/design/language/save" OR uri CONTAINS "Translate::save") AND status=200

📊 Metadata

CVE ID: CVE-2021-27230

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: March 15, 2021

Last Updated: November 21, 2024

🔗 References

http://karmainsecurity.com/KIS-2021-03 Exploit,Third Party Advisory
http://packetstormsecurity.com/files/161805/ExpressionEngine-6.0.2-PHP-Code-Injection.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Mar/32 Mailing List,Third Party Advisory
https://expressionengine.com/features Vendor Advisory
https://hackerone.com/reports/1093444 Permissions Required,Third Party Advisory
http://karmainsecurity.com/KIS-2021-03 Exploit,Third Party Advisory
http://packetstormsecurity.com/files/161805/ExpressionEngine-6.0.2-PHP-Code-Injection.html Exploit,Third Party Advisory,VDB Entry
http://seclists.org/fulldisclosure/2021/Mar/32 Mailing List,Third Party Advisory
https://expressionengine.com/features Vendor Advisory
https://hackerone.com/reports/1093444 Permissions Required,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27230, you might also want to check these: