CVE-2021-47783 – This vulnerability allows authenticated attacke... (How to Fix)

Q: What is the severity of CVE-2021-47783?

CVE-2021-47783 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows authenticated attackers to upload malicious SVG files containing JavaScript through Phpwcms's multiple file upload feature. Successful exploitation enables cross-site scripting attacks that could compromise user sessions or deface websites. Only Phpwcms 1.9.30 installations with authenticated user access are affected.

📋 TL;DR

This vulnerability allows authenticated attackers to upload malicious SVG files containing JavaScript through Phpwcms's multiple file upload feature. Successful exploitation enables cross-site scripting attacks that could compromise user sessions or deface websites. Only Phpwcms 1.9.30 installations with authenticated user access are affected.

💻 Affected Systems

Products:

Phpwcms

Versions: 1.9.30

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to the file upload functionality.

📦 What is this software?

Phpwcms by Phpwcms

View all CVEs affecting Phpwcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary JavaScript in victims' browsers, leading to session hijacking, credential theft, website defacement, or redirection to malicious sites.

🟠

Likely Case

Authenticated users with upload privileges could embed malicious scripts in SVG files, potentially affecting other users who view those files.

🟢

If Mitigated

With proper input validation and file type restrictions, the risk is limited to authenticated users who might still bypass controls through social engineering.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access and knowledge of SVG file manipulation with embedded JavaScript.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.31 or later

Vendor Advisory: http://www.phpwcms.org/

Restart Required: No

Instructions:

1. Backup your Phpwcms installation and database. 2. Download the latest version from phpwcms.org. 3. Replace all files except configuration and upload directories. 4. Run any database update scripts if provided. 5. Test functionality.

🔧 Temporary Workarounds

Restrict SVG file uploads

all

Modify file upload configuration to block SVG files or validate SVG content for JavaScript.

Modify upload configuration in Phpwcms to reject .svg files or implement content validation

Implement Content Security Policy

all

Add CSP headers to prevent execution of inline JavaScript from uploaded files.

Add header: Content-Security-Policy: script-src 'self'

🧯 If You Can't Patch

Restrict file upload permissions to trusted administrators only
Implement web application firewall rules to block SVG files with JavaScript content

🔍 How to Verify

Check if Vulnerable:

Check Phpwcms version in admin panel or by examining source files for version 1.9.30.

Check Version:

Check admin panel or look for version information in include/inc_tmpl/admin.tmpl.php

Verify Fix Applied:

Verify installation shows version 1.9.31 or later and test that SVG files with JavaScript are rejected or sanitized.

📡 Detection & Monitoring

Log Indicators:

Multiple SVG file uploads from single user
Large SVG files with unusual content patterns
Failed upload attempts with JavaScript in SVG

Network Indicators:

POST requests to upload endpoints with SVG content
Unusual file upload patterns

SIEM Query:

source="web_logs" AND (uri_path="/phpwcms/inc/act_fileupload.php" OR uri_path LIKE "%/upload/%") AND file_extension=".svg"

📊 Metadata

CVE ID: CVE-2021-47783

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-434

EPSS Score: 0.02% exploit probability (5.7th percentile)

Published: January 16, 2026

Last Updated: February 9, 2026

🔗 References

http://www.phpwcms.org/ Product
https://www.exploit-db.com/exploits/50363 Exploit,VDB Entry
https://www.vulncheck.com/advisories/phpwcms-arbitrary-file-upload Third Party Advisory
https://www.exploit-db.com/exploits/50363 Exploit,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47783, you might also want to check these: