Team Textpattern is pleased to announce the release of Textpattern CMS version 4.8.8, available for immediate download and deployment. Textpattern 4.8.8 adds support for PHP 8.1, addresses a security issue, and offers additional minor improvements to the user experience.

If you have a Textpattern website, we recommend upgrading to Textpattern 4.8.8 to fix a reported security issue. Many thanks to Paul Ritchie at Pentest Ltd for responsibly reporting an issue relating to article preview and plugin upload functionality. We are grateful for Paul’s thorough report in outlining the issue, which allowed Textpattern developers to efficiently reproduce the issue, isolate a fix and resolve it. Versions of Textpattern prior to 4.8.8 are affected by this issue, and upgrading is highly recommended.

Pentest will be publishing an article on their site detailing the issue, we will update this post with further details when we have them.

Update: Pentest have published an article outlining the issue in more detail – Leveraging XSS to get RCE in Textpattern 4.8.7

As with all Textpattern upgrades, refer to the current Textpattern system requirements and ensure you have known-good backups of your site files and database, including all uploaded content such as images & files. Before you make any changes, please refer to the accompanying release notes in HISTORY.txt to ensure you understand what has changed in this release, along with any versions released beforehand that may have been skipped. You can check your current Textpattern version from the bottom of any page on the admin-side.

Thank you to everyone who contributed to this patch release with reporting & resolving bugs, providing & improving language translations and overall improvements to the Textpattern ecosystem. We’re grateful to all contributors offering us their expertise, time, attention, words, donations, signal boosting, evangelism, cheerleading and all other activities that fuel our progress.

Textpattern’s infrastructure and continued development is kindly supported by DigitalOcean, 1Password and BrowserStack. We are grateful for their ongoing involvement & support for Textpattern, and our global community of authors, publishers, designers and administrators. Thank you!

There is no spyware, adware, user tracking or other junk in Textpattern. We work to keep things fast, nimble, secure and ready for pretty much anything you can throw at it. You can show your appreciation by sponsoring Textpattern on GitHub or supporting Textpattern on Open Collective. Alternatively, you can donate to Team Textpattern with PayPal.

We have a friendly forum for a Textpattern sites showcase – tell us what you’ve made with Textpattern, we’d love to hear from you. Even a ‘hello!’ or ‘thanks!’ helps us to gauge how far Textpattern has travelled, so don’t be a stranger.


You can download Textpattern from using the following links, or from Textpattern v4.8.8 on GitHub. Please take a moment to ‘star’ Textpattern’s repositories on GitHub if they are of interest to you. This really helps us out.

Please note: to fully utilise Textpattern’s multi-site capabilities, please download the .tar.gz archive as it includes the multi-site scaffold.

File download

SHA256 checksum baf6834f720f50d2863abbc90092248dde1964ca85eadb6f767c46e252740687
File size 2016 kB | Created
File download


SHA256 checksum 5bfa43a67007267a46980fcd0243614e83b46231af0ba1fff5cc0a65628005ba
File size 1772 kB | Created

The Textpattern demo has been updated to offer Textpattern test drives in complete safety. The demo sites are rebuilt every few hours using the Textpattern auto-installer.

System requirements

Textpattern 4.8 requires a minimum of PHP 5.5 as part of the system requirements, though a vendor-supported PHP version is highly recommended. At the time of writing, PHP 8.0 & PHP 8.1 have active and ongoing support. PHP 7.4 has extended security support until 28 November 2022. All PHP versions before PHP 7.4 are no longer supported by the vendor. Please refer to PHP Supported Versions for up-to-date schedules.

If you are upgrading Textpattern from a version prior to 4.8.0, please note the SimpleXML PHP extension is now required. Most PHP instances have this built-in and enabled already. Check with your web host if you have any doubts.

Please note: we will increase the minimum PHP and MySQL version requirements for Textpattern 4.9. More details will be provided in due course.

Installation and upgrade

Please ensure you log out of the admin side prior to upgrade, perform and verify a full site backup (database and files, including any file/image uploads), and refer to the README.txt file in the download archives for detailed instructions. The vast majority of Textpattern upgrades are smooth sailing and happen without incident, but on the rare occasion something does go astray it’s preferable to safely restore the known-good version from your full site backup and troubleshoot any issues while your site continues to be available.

What’s new in this release?

The Textpattern 4.8.8 HISTORY.txt outlines changes for this and previous Textpattern releases, along with their respective release dates. We recommend you read the list of changes to understand how this may affect your current sites, especially if you’re upgrading from older versions. Please note that while upgrades from very old releases of Textpattern are possible, you may need to perform a multi-stage upgrade.

If you require clarification on any aspect of the release notes, we recommend you seek advice before starting a site upgrade. The Textpattern support forum is an excellent place to start, and the Textpattern user documentation is regularly updated with examples, explanations and background information.

We have a forum thread dedicated to Textpattern 4.8.8 feedback. We gather field reports from fellow Textpattern administrators and users that may assist or guide you with upgrading.


  • Maintenance release with support for PHP 8.1, security enhancements, general improvements and bug fixes.
  • Security: Fix reported cross-site scripting issue relating to article preview CSRF token (many thanks, Paul Ritchie at Pentest Limited).

Tag modifications

  • Added: <txp:items_count /> tag.
  • Added: Global limit, offset and sort attributes.
  • Added: url_title attribute to <txp:article /> and <txp:article_custom />.
  • Added: range attribute to <txp:article_image />.
  • Added: date and time attributes to <txp:if_expired />.
  • Added: calendar attribute to <txp:posted /> and similar tags.
  • Added: Substring extraction via escape attribute.
  • Added: Expanded conditional match attribute with comparison operators.
  • Changed: <txp:category_list /> with children >1 attribute behaviour.
  • Changed: Global escape attribute operates at the items level in lists.

Admin-side tweaks

  • Fixed: Admin-side pagination when sorting by non-unique values.
  • Fixed: Required parameters after optional in tag builder (thanks, phiw13).
  • Added: UTC is now a permitted time zone.
  • Added: Custom date formats.
  • Added: Natural search mode.
  • Added: Random form selection.

Internal tweaks

  • Added: Support for AVIF image format, on PHP 8.1 or higher.
  • Changed: Multi-site plugins directory defaults to site/admin/plugins.
  • Fixed: More robust numeric searches.
  • Fixed: Improved query efficiency of category operations.
  • Accessibility: Additional aria-label attributes for some internal links.
  • Internal: Removed FOUND_ROWS() which is deprecated in MySQL 8.0.17.
  • Internal: Prefer is_readable() and is_file() to file_exists().

Developer goodies

  • Developer: Added plugin lifecycle events upgraded and downgraded.
  • Developer: Export new article IDs on duplicate.

Further notes

If you find anything not working correctly or wish to propose improvements, please file a report on GitHub. There are templates for feature requests and bug reports.

We hope you enjoy this release and it serves you, your sites and clients well!