CVE-2020-24861

MEDIUM

GetSimple CMS 3.3.16 - Stored Cross-Site Scripting via Permalink Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2020-24861. PoCs published by Roel van Beurden.

AI-analyzed exploit summary This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in GetSimple CMS 3.3.16 via the 'permalink' parameter in the admin settings. The payload is injected into the 'Custom Permalink Structure' field and triggers when creating or opening a new page.

Description

GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page

Exploits (1)

exploitdb WORKING POC

by Roel van Beurden · textwebappsphp

https://www.exploit-db.com/exploits/48850

View Code ZIP pw:eip

This exploit demonstrates a persistent Cross-Site Scripting (XSS) vulnerability in GetSimple CMS 3.3.16 via the 'permalink' parameter in the admin settings. The payload is injected into the 'Custom Permalink Structure' field and triggers when creating or opening a new page.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: GetSimple CMS 3.3.16

Auth required

Prerequisites: Authenticated access to the admin panel

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Product x_refsource_misc

http://get-simple.info

Exploit, Third Party Advisory, VDB Entry x_refsource_misc

https://www.exploit-db.com/exploits/48850

Exploit, Third Party Advisory x_refsource_misc

https://www.youtube.com/watch?v=8IMfD5KGt_U

Scores

CVSS v3 5.4

EPSS 0.0087

EPSS Percentile 54.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

get-simple/getsimple_cms 3.3.16

Published Oct 01, 2020

Tracked Since Feb 18, 2026