VYPR

Getsimplecms

by Get Simple

Source repositories

CVEs (22)

  • CVE-2014-8722HigMar 17, 2017
    risk 0.53cvss 7.5epss 0.14

    GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/.xml, (2) backups/users/.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml.

  • CVE-2017-10673MedJun 29, 2017
    risk 0.40cvss 6.1epss 0.01

    admin/profile.php in GetSimple CMS 3.x has XSS in a name field.

  • CVE-2021-47870MedJan 21, 2026
    risk 0.35cvss 5.4epss 0.00

    GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to…

  • CVE-2014-8723MedMar 17, 2017
    risk 0.35cvss 5.3epss 0.01

    GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) plugins/anonymous_data.php or (2) plugins/InnovationPlugin.php, which reveals the installation path in an error message.

  • CVE-2018-17835MedOct 1, 2018
    risk 0.31cvss 4.8epss 0.01

    An issue was discovered in GetSimple CMS 3.3.15. An administrator can insert stored XSS via the admin/settings.php Custom Permalink Structure parameter, which injects the XSS payload into any page created at the admin/pages.php URI.

  • CVE-2019-11231May 22, 2019
    risk 0.07cvss epss 0.72

    An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user; however, authentication can be…

  • CVE-2022-41544Oct 18, 2022
    risk 0.06cvss epss 0.09

    GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.

  • CVE-2014-1603May 14, 2014
    risk 0.03cvss epss 0.03

    Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) param parameter to admin/load.php or (2) user, (3) email, or (4) name parameter in a Save Settings action to admin/settings.php.

  • CVE-2010-5052Nov 23, 2011
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in admin/components.php in GetSimple CMS 2.01 allows remote attackers to inject arbitrary web script or HTML via the val[] parameter.

  • CVE-2010-4863Oct 5, 2011
    risk 0.03cvss epss 0.03

    Cross-site scripting (XSS) vulnerability in admin/changedata.php in GetSimple CMS 2.01 allows remote attackers to inject arbitrary web script or HTML via the post-title parameter.

  • CVE-2026-28495Mar 10, 2026
    risk 0.00cvss epss 0.00

    GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF…

  • CVE-2026-27161Feb 20, 2026
    risk 0.00cvss epss 0.00

    GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these…

  • CVE-2021-47778Jan 21, 2026
    risk 0.00cvss epss 0.01

    GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server.

  • CVE-2025-48492May 30, 2025
    risk 0.00cvss epss 0.01

    GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution (RCE).…

  • CVE-2023-51246Jan 8, 2024
    risk 0.00cvss epss 0.00

    A Cross Site Scripting (XSS) vulnerability in GetSimple CMS 3.3.16 exists when using Source Code Mode as a backend user to add articles via the /admin/edit.php page.

  • CVE-2020-24861Oct 1, 2020
    risk 0.00cvss epss 0.01

    GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page

  • CVE-2020-23837Sep 25, 2020
    risk 0.00cvss epss 0.01

    A Cross-Site Request Forgery (CSRF) vulnerability in the Multi User plugin 1.8.2 for GetSimple CMS allows remote attackers to add admin (or other) users after an authenticated admin visits a third-party site or clicks on a URL.

  • CVE-2015-5356Jul 1, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in admin/filebrowser.php in GetSimple CMS before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the func parameter.

  • CVE-2015-5355Jul 1, 2015
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 allow remote attackers to inject arbitrary web script or HTML via the (1) post-content or (2) post-title parameter to admin/edit.php.

  • CVE-2014-8790Jan 20, 2015
    risk 0.00cvss epss 0.03

    XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter.

Page 1 of 2