CVE-2021-47778

HIGH

GetSimple CMS My SMTP Contact Plugin <1.1.2 - Code Injection

Title source: llm

Description

GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server.

Exploits (1)

exploitdb WORKING POC

by boku · pythonwebappsphp

https://www.exploit-db.com/exploits/49774

View Code ZIP pw:eip

References (5)

[Various Sources] https://github.com/boku7/gsSMTP-Csrf2Xss2RCE/

[Various Sources] http://get-simple.info

[Various Sources] https://github.com/GetSimpleCMS/GetSimpleCMS

[Third Party Advisory] https://www.vulncheck.com/advisories/getsimple-cms-my-smtp-contact-plugin-php-code-injection

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/49774

Scores

CVSS v3 7.2

EPSS 0.0111

EPSS Percentile 78.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (2)

get-simple/getsimplecms 1.1.2

Get-Simple/My SMTP Contact Plugin 1.1.2

Published Jan 21, 2026

Tracked Since Feb 18, 2026