CVE-2020-23839

MEDIUM

GetSimple CMS 3.3.16 - Reflected Cross-Site Scripting in Login Portal

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-23839. PoCs published by boku, boku7.

AI-analyzed exploit summary This exploit leverages a reflected XSS vulnerability in GetSimple CMS 3.3.16 to steal admin credentials, chain XHR requests, and achieve RCE via a PHP webshell injection. The attack requires admin interaction to trigger the payload.

Description

A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.php login portal webpage, allows remote attackers to execute JavaScript code in the client's browser and harvest login credentials after a client clicks a link, enters credentials, and submits the login form.

Exploits (2)

exploitdb WORKING POC

by boku · pythonwebappsphp

https://www.exploit-db.com/exploits/49726

View Code ZIP pw:eip

This exploit leverages a reflected XSS vulnerability in GetSimple CMS 3.3.16 to steal admin credentials, chain XHR requests, and achieve RCE via a PHP webshell injection. The attack requires admin interaction to trigger the payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: GetSimple CMS v3.3.16

Auth required

Prerequisites: Admin must visit crafted URL and log in

MITRE ATT&CK

T1059 - Command and Scripting Interpreter T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 11 stars

by boku7 · poc

https://github.com/boku7/CVE-2020-23839

View Code ZIP pw:eip

This repository contains two Python scripts exploiting CVE-2020-23839, a reflected XSS vulnerability in GetSimple CMS v3.3.16. The scripts chain the XSS to achieve RCE by injecting a PHP webshell into the CMS theme files.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: GetSimple CMS v3.3.16

No auth needed

Prerequisites: Target must be running GetSimple CMS v3.3.16 · Admin must visit the crafted URL and log in

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/GetSimpleCMS/GetSimpleCMS/issues/1330

Third Party Advisory, VDB Entry x_refsource_misc

http://packetstormsecurity.com/files/162016/GetSimple-CMS-3.3.16-Cross-Site-Scripting-Shell-Upload.html

Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/49726

Third Party Advisory x_refsource_misc

https://github.com/boku7/CVE-2020-23839

Scores

CVSS v3 6.1

EPSS 0.1046

EPSS Percentile 95.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

get-simple/getsimple_cms 3.3.16

Published Sep 01, 2020

Tracked Since Feb 18, 2026