CVE-2021-47734

HIGH

Cmsimple - Remote File Inclusion

Title source: rule

Description

CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path and uploading malicious PHP code through session file upload mechanisms.

Exploits (1)

exploitdb WORKING POC

by S1lv3r · pythonwebappsphp

https://www.exploit-db.com/exploits/50547

View Code ZIP pw:eip

References (3)

[Product] https://www.cmsimple.org/en/

[Exploit] https://www.exploit-db.com/exploits/50547

[Third Party Advisory] https://www.vulncheck.com/advisories/cmsimple-authenticated-local-file-inclusion-remote-code-execution

Scores

CVSS v3 7.8

EPSS 0.0012

EPSS Percentile 31.2%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-98

Status published

Products (2)

cmsimple/cmsimple 5.4

Cmsimple/CMSimple CMSimple 5.4

Published Dec 23, 2025

Tracked Since Feb 18, 2026