CVE-2021-47778

HIGH

GetSimple CMS My SMTP Contact Plugin <1.1.2 - Code Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47778. PoCs published by boku.

AI-analyzed exploit summary This exploit chains a CSRF vulnerability with PHP code injection in GetSimple CMS's My SMTP Contact plugin to achieve remote code execution. The PoC sets up a malicious server to deliver a CSRF payload that injects PHP code into the plugin's configuration, leading to RCE when an admin visits the site.

Description

GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server.

Exploits (1)

exploitdb WORKING POC
by boku · pythonwebappsphp
https://www.exploit-db.com/exploits/49774

This exploit chains a CSRF vulnerability with PHP code injection in GetSimple CMS's My SMTP Contact plugin to achieve remote code execution. The PoC sets up a malicious server to deliver a CSRF payload that injects PHP code into the plugin's configuration, leading to RCE when an admin visits the site.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GetSimple CMS My SMTP Contact Plugin <= v1.1.1
No auth needed
Prerequisites: Admin user must visit a malicious site · Plugin must be installed and configured
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/49774
Various Sources product
http://get-simple.info

Scores

CVSS v3 7.2
EPSS 0.0109
EPSS Percentile 61.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-94
Status published
Products (2)
get-simple/getsimplecms 1.1.2
Get-Simple/My SMTP Contact Plugin 1.1.2
Published Jan 21, 2026
Tracked Since Feb 18, 2026