CVE-2019-9055

HIGH

CMS Made Simple < 2.2.8 - Authenticated Remote Code Execution via m1_allparms Deserialization

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-9055. Includes Metasploit module exploits/multi/http/cmsms_object_injection_rce.

AI-analyzed exploit summary This Metasploit module exploits a PHP object injection vulnerability in CMS Made Simple via the DesignManager module, allowing authenticated RCE through crafted serialization in the 'm1_allparms' parameter.

Description

An issue was discovered in CMS Made Simple 2.2.8. In the module DesignManager (in the files action.admin_bulk_css.php and action.admin_bulk_template.php), with an unprivileged user with Designer permission, it is possible reach an unserialize call with a crafted value in the m1_allparms parameter, and achieve object injection.

Exploits (1)

metasploit WORKING POC NORMAL
rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/cmsms_object_injection_rce.rb

This Metasploit module exploits a PHP object injection vulnerability in CMS Made Simple via the DesignManager module, allowing authenticated RCE through crafted serialization in the 'm1_allparms' parameter.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: CMS Made Simple 2.2.6-2.2.9.1
Auth required
Prerequisites: Valid credentials with Designer permission · Access to admin interface
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 8.8
EPSS 0.1250
EPSS Percentile 95.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-502
Status published
Products (1)
cmsmadesimple/cms_made_simple < 2.2.8
Published Mar 26, 2019
Tracked Since Feb 18, 2026