CVE-2020-24860

MEDIUM

CMS Made Simple 2.2.14 - Authenticated Stored Cross-Site Scripting in Content Manager

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-24860. PoCs published by Roel van Beurden.

AI-analyzed exploit summary This is a writeup describing a persistent XSS vulnerability in CMS Made Simple 2.2.14. It details the affected parameters and provides an example payload but does not include executable exploit code.

Description

CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.

Exploits (1)

exploitdb WRITEUP
by Roel van Beurden · textwebappsphp
https://www.exploit-db.com/exploits/48851

This is a writeup describing a persistent XSS vulnerability in CMS Made Simple 2.2.14. It details the affected parameters and provides an example payload but does not include executable exploit code.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CMS Made Simple 2.2.14
Auth required
Prerequisites: Authenticated access to the Content Manager
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Product x_refsource_misc
https://www.cmsmadesimple.org
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/48851
Exploit, Third Party Advisory x_refsource_misc
https://www.youtube.com/watch?v=M6D7DmmjLak&t=22s

Scores

CVSS v3 5.4
EPSS 0.0107
EPSS Percentile 60.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
cmsmadesimple/cms_made_simple 2.2.14
Published Oct 01, 2020
Tracked Since Feb 18, 2026