CVE-2021-47830

MEDIUM

GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-47830. PoCs published by boku.

AI-analyzed exploit summary This exploit chains a CSRF vulnerability with a stored XSS vulnerability in the My SMTP Contact plugin for GetSimple CMS to achieve remote code execution. The XSS payload bypasses htmlspecialchars() using hex-escaped characters to inject a script that collects a CSRF token and uploads a webshell.

Description

GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized changes but does not directly enable remote code execution.

Exploits (2)

exploitdb WORKING POC
by boku · pythonwebappsphp
https://www.exploit-db.com/exploits/49798

This exploit chains a CSRF vulnerability with a stored XSS vulnerability in the My SMTP Contact plugin for GetSimple CMS to achieve remote code execution. The XSS payload bypasses htmlspecialchars() using hex-escaped characters to inject a script that collects a CSRF token and uploads a webshell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GetSimple CMS My SMTP Contact Plugin <= v1.1.2
No auth needed
Prerequisites: Victim must visit a malicious site controlled by the attacker · Target must have the vulnerable plugin installed · Admin session must be active
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
by boku · pythonwebappsphp
https://www.exploit-db.com/exploits/49774

This exploit chains a CSRF vulnerability with PHP code injection in GetSimple CMS's My SMTP Contact plugin to achieve remote code execution. The PoC sets up a malicious server to deliver a CSRF payload that injects PHP code into the plugin's configuration, leading to RCE when an admin visits the site.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: GetSimple CMS My SMTP Contact Plugin <= v1.1.1
No auth needed
Prerequisites: Admin user must visit a malicious site · Plugin must be installed and configured
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/49774
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/49798
Various Sources product
http://get-simple.info

Scores

CVSS v3 6.5
EPSS 0.0035
EPSS Percentile 26.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (2)
get-simple/getsimplecms 1.1.1
GetSimple CMS/My SMTP Contact Plugin 1.1.1
Published Jan 21, 2026
Tracked Since Feb 18, 2026