Getsimplecms
by Get Simple
Source repositories
CVEs (22)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2014-8722 | Hig | 0.53 | 7.5 | 0.14 | Mar 17, 2017 | GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/.xml, (2) backups/users/.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml. | ||
| CVE-2017-10673 | Med | 0.40 | 6.1 | 0.01 | Jun 29, 2017 | admin/profile.php in GetSimple CMS 3.x has XSS in a name field. | ||
| CVE-2021-47870 | Med | 0.35 | 5.4 | 0.00 | Jan 21, 2026 | GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to… | ||
| CVE-2014-8723 | Med | 0.35 | 5.3 | 0.01 | Mar 17, 2017 | GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) plugins/anonymous_data.php or (2) plugins/InnovationPlugin.php, which reveals the installation path in an error message. | ||
| CVE-2018-17835 | Med | 0.31 | 4.8 | 0.01 | Oct 1, 2018 | An issue was discovered in GetSimple CMS 3.3.15. An administrator can insert stored XSS via the admin/settings.php Custom Permalink Structure parameter, which injects the XSS payload into any page created at the admin/pages.php URI. | ||
| CVE-2019-11231 | 0.07 | — | 0.72 | May 22, 2019 | An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user; however, authentication can be… | |||
| CVE-2022-41544 | 0.06 | — | 0.09 | Oct 18, 2022 | GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php. | |||
| CVE-2014-1603 | 0.03 | — | 0.03 | May 14, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) param parameter to admin/load.php or (2) user, (3) email, or (4) name parameter in a Save Settings action to admin/settings.php. | |||
| CVE-2010-5052 | 0.03 | — | 0.03 | Nov 23, 2011 | Cross-site scripting (XSS) vulnerability in admin/components.php in GetSimple CMS 2.01 allows remote attackers to inject arbitrary web script or HTML via the val[] parameter. | |||
| CVE-2010-4863 | 0.03 | — | 0.03 | Oct 5, 2011 | Cross-site scripting (XSS) vulnerability in admin/changedata.php in GetSimple CMS 2.01 allows remote attackers to inject arbitrary web script or HTML via the post-title parameter. | |||
| CVE-2026-28495 | 0.00 | — | 0.00 | Mar 10, 2026 | GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF… | |||
| CVE-2026-27161 | 0.00 | — | 0.00 | Feb 20, 2026 | GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these… | |||
| CVE-2021-47778 | 0.00 | — | 0.01 | Jan 21, 2026 | GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server. | |||
| CVE-2025-48492 | 0.00 | — | 0.01 | May 30, 2025 | GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution (RCE).… | |||
| CVE-2023-51246 | 0.00 | — | 0.00 | Jan 8, 2024 | A Cross Site Scripting (XSS) vulnerability in GetSimple CMS 3.3.16 exists when using Source Code Mode as a backend user to add articles via the /admin/edit.php page. | |||
| CVE-2020-24861 | 0.00 | — | 0.01 | Oct 1, 2020 | GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page | |||
| CVE-2020-23837 | 0.00 | — | 0.01 | Sep 25, 2020 | A Cross-Site Request Forgery (CSRF) vulnerability in the Multi User plugin 1.8.2 for GetSimple CMS allows remote attackers to add admin (or other) users after an authenticated admin visits a third-party site or clicks on a URL. | |||
| CVE-2015-5356 | 0.00 | — | 0.02 | Jul 1, 2015 | Cross-site scripting (XSS) vulnerability in admin/filebrowser.php in GetSimple CMS before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the func parameter. | |||
| CVE-2015-5355 | 0.00 | — | 0.02 | Jul 1, 2015 | Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 allow remote attackers to inject arbitrary web script or HTML via the (1) post-content or (2) post-title parameter to admin/edit.php. | |||
| CVE-2014-8790 | 0.00 | — | 0.03 | Jan 20, 2015 | XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter. |
- risk 0.53cvss 7.5epss 0.14
GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/.xml, (2) backups/users/.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml.
- risk 0.40cvss 6.1epss 0.01
admin/profile.php in GetSimple CMS 3.x has XSS in a name field.
- risk 0.35cvss 5.4epss 0.00
GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to…
- risk 0.35cvss 5.3epss 0.01
GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) plugins/anonymous_data.php or (2) plugins/InnovationPlugin.php, which reveals the installation path in an error message.
- risk 0.31cvss 4.8epss 0.01
An issue was discovered in GetSimple CMS 3.3.15. An administrator can insert stored XSS via the admin/settings.php Custom Permalink Structure parameter, which injects the XSS payload into any page created at the admin/pages.php URI.
- CVE-2019-11231May 22, 2019risk 0.07cvss —epss 0.72
An issue was discovered in GetSimple CMS through 3.3.15. insufficient input sanitation in the theme-edit.php file allows upload of files with arbitrary content (PHP code, for example). This vulnerability is triggered by an authenticated user; however, authentication can be…
- CVE-2022-41544Oct 18, 2022risk 0.06cvss —epss 0.09
GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.
- CVE-2014-1603May 14, 2014risk 0.03cvss —epss 0.03
Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS 3.3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) param parameter to admin/load.php or (2) user, (3) email, or (4) name parameter in a Save Settings action to admin/settings.php.
- CVE-2010-5052Nov 23, 2011risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in admin/components.php in GetSimple CMS 2.01 allows remote attackers to inject arbitrary web script or HTML via the val[] parameter.
- CVE-2010-4863Oct 5, 2011risk 0.03cvss —epss 0.03
Cross-site scripting (XSS) vulnerability in admin/changedata.php in GetSimple CMS 2.01 allows remote attackers to inject arbitrary web script or HTML via the post-title parameter.
- CVE-2026-28495Mar 10, 2026risk 0.00cvss —epss 0.00
GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF…
- CVE-2026-27161Feb 20, 2026risk 0.00cvss —epss 0.00
GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these…
- CVE-2021-47778Jan 21, 2026risk 0.00cvss —epss 0.01
GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server.
- CVE-2025-48492May 30, 2025risk 0.00cvss —epss 0.01
GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution (RCE).…
- CVE-2023-51246Jan 8, 2024risk 0.00cvss —epss 0.00
A Cross Site Scripting (XSS) vulnerability in GetSimple CMS 3.3.16 exists when using Source Code Mode as a backend user to add articles via the /admin/edit.php page.
- CVE-2020-24861Oct 1, 2020risk 0.00cvss —epss 0.01
GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page
- CVE-2020-23837Sep 25, 2020risk 0.00cvss —epss 0.01
A Cross-Site Request Forgery (CSRF) vulnerability in the Multi User plugin 1.8.2 for GetSimple CMS allows remote attackers to add admin (or other) users after an authenticated admin visits a third-party site or clicks on a URL.
- CVE-2015-5356Jul 1, 2015risk 0.00cvss —epss 0.02
Cross-site scripting (XSS) vulnerability in admin/filebrowser.php in GetSimple CMS before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the func parameter.
- CVE-2015-5355Jul 1, 2015risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 allow remote attackers to inject arbitrary web script or HTML via the (1) post-content or (2) post-title parameter to admin/edit.php.
- CVE-2014-8790Jan 20, 2015risk 0.00cvss —epss 0.03
XML external entity (XXE) vulnerability in admin/api.php in GetSimple CMS 3.1.1 through 3.3.x before 3.3.5 Beta 1, when in certain configurations, allows remote attackers to read arbitrary files via the data parameter.
Page 1 of 2