CVE-2021-47860

MEDIUM

GetSimple CMS Custom JS Plugin 0.1 - CSRF leading to XSS and RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-47860. PoCs published by boku, Abhishek Joshi.

AI-analyzed exploit summary This exploit chains CSRF to inject XSS into an admin's session, then uses XHR to achieve RCE by writing a PHP webshell. It requires an admin to visit a malicious site while authenticated.

Description

GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page.

Exploits (2)

exploitdb WORKING POC

by boku · pythonwebappsphp

https://www.exploit-db.com/exploits/49816

View Code ZIP pw:eip

This exploit chains CSRF to inject XSS into an admin's session, then uses XHR to achieve RCE by writing a PHP webshell. It requires an admin to visit a malicious site while authenticated.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: GetSimple CMS Custom JS Plugin v0.1

No auth needed

Prerequisites: Admin must be authenticated and visit attacker-controlled site · Custom JS Plugin v0.1 must be installed

MITRE ATT&CK

T1189 - Drive-by Compromise T1059 - Command and Scripting Interpreter T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by Abhishek Joshi · htmlwebappsphp

https://www.exploit-db.com/exploits/49712

View Code ZIP pw:eip

This is a functional CSRF exploit targeting GetSimple CMS's Custom JS Plugin v0.1, demonstrating how an attacker can inject arbitrary JavaScript code into the CMS via a crafted POST request. The exploit leverages a lack of CSRF protection to achieve persistent XSS when an admin visits a malicious page.