VYPR

Vendor CVEs

Getsimplecms Ce

All CVEs

46 total · sorted by risk
  • CVE-2022-41544CriOct 18, 2022
    risk 0.67cvss 9.8epss 0.09

    GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.

  • CVE-2023-46042CriOct 19, 2023
    risk 0.66cvss 9.8epss 0.23

    An issue in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via a crafted payload to the phpinfo().

  • CVE-2020-18191CriOct 2, 2020
    risk 0.59cvss 9.1epss 0.02

    GetSimpleCMS-3.3.15 is affected by directory traversal. Remote attackers are able to delete arbitrary files via /GetSimpleCMS-3.3.15/admin/log.php

  • CVE-2018-17103HigSep 16, 2018
    risk 0.57cvss 8.8epss 0.01

    An issue was discovered in GetSimple CMS v3.3.13. There is a CSRF vulnerability that can change the administrator's password via admin/settings.php. NOTE: The vendor reported that the PoC was sending a value for the nonce parameter

  • CVE-2014-8722HigMar 17, 2017
    risk 0.53cvss 7.5epss 0.14

    GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) data/users/.xml, (2) backups/users/.xml.bak, (3) data/other/authorization.xml, or (4) data/other/appid.xml.

  • CVE-2021-28976HigJun 23, 2021
    risk 0.50cvss 7.2epss 0.08

    Remote Code Execution vulnerability in GetSimpleCMS before 3.3.16 in admin/upload.php via phar filess.

  • CVE-2020-23839MedSep 1, 2020
    risk 0.43cvss 6.1epss 0.10

    A Reflected Cross-Site Scripting (XSS) vulnerability in GetSimple CMS v3.3.16, in the admin/index.php login portal webpage, allows remote attackers to execute JavaScript code in the client's browser and harvest login credentials after a client clicks a link, enters credentials,…

  • CVE-2018-9173MedApr 2, 2018
    risk 0.43cvss 6.1epss 0.03

    Cross-site scripting (XSS) vulnerability in admin/template/js/uploadify/uploadify.swf in GetSimple CMS 3.3.13 allows remote attackers to inject arbitrary web script or HTML, as demonstrated by the movieName parameter.

  • CVE-2021-36601MedAug 10, 2021
    risk 0.40cvss 6.1epss 0.01

    GetSimpleCMS 3.3.16 contains a cross-site Scripting (XSS) vulnerability, where Function TSL does not filter check settings.php Website URL: "siteURL" parameter.

  • CVE-2020-18660MedJun 23, 2021
    risk 0.40cvss 6.1epss 0.01

    GetSimpleCMS <=3.3.15 has an open redirect in admin/changedata.php via the redirect function to the url parameter.

  • CVE-2020-18659MedJun 23, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross Site Scripting vulnerability in GetSimpleCMS <=3.3.15 via the (1) sitename, (2) username, and (3) email parameters to /admin/setup.php

  • CVE-2020-18658MedJun 23, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross Site Scriptiong (XSS) vulnerability in GetSimpleCMS <=3.3.15 via the timezone parameter to settings.php.

  • CVE-2020-18657MedJun 23, 2021
    risk 0.40cvss 6.1epss 0.01

    Cross Site Scripting (XSS) vulnerability in GetSimpleCMS <= 3.3.15 in admin/changedata.php via the redirect_url parameter and the headers_sent function.

  • CVE-2013-1420MedJan 2, 2020
    risk 0.40cvss 6.1epss 0.01

    Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to backup-edit.php; (2) title or (3) menu parameter to edit.php; or (4) path or (5) returnid parameter to…

  • CVE-2019-9915MedMar 22, 2019
    risk 0.40cvss 6.1epss 0.04

    GetSimpleCMS 3.3.13 has an Open Redirect via the admin/index.php redirect parameter.

  • CVE-2018-16325MedSep 1, 2018
    risk 0.40cvss 6.1epss 0.01

    There is XSS in GetSimple CMS 3.4.0.9 via the admin/edit.php title field.

  • CVE-2017-10673MedJun 29, 2017
    risk 0.40cvss 6.1epss 0.01

    admin/profile.php in GetSimple CMS 3.x has XSS in a name field.

  • CVE-2021-47870MedJan 21, 2026
    risk 0.35cvss 5.4epss 0.00

    GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to…

  • CVE-2023-51246MedJan 8, 2024
    risk 0.35cvss 5.4epss 0.00

    A Cross Site Scripting (XSS) vulnerability in GetSimple CMS 3.3.16 exists when using Source Code Mode as a backend user to add articles via the /admin/edit.php page.

  • CVE-2023-46040MedOct 31, 2023
    risk 0.35cvss 5.4epss 0.01

    Cross Site Scripting vulnerability in GetSimpleCMS v.3.4.0a allows a remote attacker to execute arbitrary code via the a crafted payload to the components.php function.

  • CVE-2020-21353MedAug 6, 2021
    risk 0.35cvss 5.4epss 0.01

    A stored cross site scripting (XSS) vulnerability in /admin/snippets.php of GetSimple CMS 3.4.0a allows attackers to execute arbitrary web scripts or HTML via crafted payload in the Edit Snippets module.

  • CVE-2020-20391MedJun 23, 2021
    risk 0.35cvss 5.4epss 0.01

    Cross Site Scripting vulnerability in GetSimpleCMS 3.4.0a in admin/snippets.php via (1) Add Snippet and (2) Save snippets.

  • CVE-2019-16333MedSep 15, 2019
    risk 0.35cvss 5.4epss 0.01

    GetSimple CMS v3.3.15 has Persistent Cross-Site Scripting (XSS) in admin/theme-edit.php.

  • CVE-2018-19845MedDec 31, 2018
    risk 0.35cvss 5.4epss 0.01

    There is Stored XSS in GetSimple CMS 3.3.12 via the admin/edit.php "post-menu" parameter, a related issue to CVE-2018-16325.

  • CVE-2014-8723MedMar 17, 2017
    risk 0.35cvss 5.3epss 0.01

    GetSimple CMS 3.3.4 allows remote attackers to obtain sensitive information via a direct request to (1) plugins/anonymous_data.php or (2) plugins/InnovationPlugin.php, which reveals the installation path in an error message.

  • CVE-2026-26351MedFeb 24, 2026
    risk 0.31cvss 4.8epss 0.00

    GetSimpleCMS Community Edition (CE) versions prior to 3.3.22 (3.3.16 tested) contains a stored cross-site scripting (XSS) vulnerability in the Theme to Components functionality within components.php. User-supplied input provided to the "slug" field of a component is stored…

  • CVE-2023-6188MedNov 17, 2023
    risk 0.31cvss 4.7epss 0.01

    A vulnerability was found in GetSimpleCMS 3.3.16/3.4.0a. It has been rated as critical. This issue affects some unknown processing of the file /admin/theme-edit.php. The manipulation leads to code injection. The attack may be initiated remotely. The exploit has been disclosed to…

  • CVE-2020-20389MedJun 23, 2021
    risk 0.31cvss 4.8epss 0.01

    Cross Site Scripting (XSS) vulnerability in GetSimpleCMS 3.4.0a in admin/edit.php.

  • CVE-2021-28977MedJun 23, 2021
    risk 0.31cvss 4.8epss 0.01

    Cross Site Scripting vulnerability in GetSimpleCMS 3.3.16 in admin/upload.php by adding comments or jpg and other file header information to the content of xla, pages, and gzip files,

  • CVE-2018-15843MedAug 25, 2018
    risk 0.31cvss 4.8epss 0.01

    GetSimple CMS 3.3.14 has XSS via the admin/edit.php "Add New Page" field.

  • CVE-2018-19421LowNov 21, 2018
    risk 0.25cvss 3.8epss 0.01

    In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but Internet Explorer render HTML elements in a .eml file, because of admin/upload-uploadify.php, and validate_safe_file in admin/inc/security_functions.php.

  • CVE-2018-19420LowNov 21, 2018
    risk 0.25cvss 3.8epss 0.01

    In GetSimpleCMS 3.3.15, admin/upload.php blocks .html uploads but there are several alternative cases in which HTML can be executed, such as a file with no extension or an unrecognized extension (e.g., the test or test.asdf filename), because of admin/upload-uploadify.php, and…

  • CVE-2013-10032Jul 25, 2025
    risk 0.09cvss epss 0.02

    An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP…

  • CVE-2026-28495Mar 10, 2026
    risk 0.00cvss epss 0.00

    GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF…

  • CVE-2026-27202Feb 20, 2026
    risk 0.00cvss epss 0.01

    GetSimple CMS is a content management system. All versions of GetSimple CMS have a flaw in the Uploaded Files feature that allows for arbitrary file reads. This issue has not been fixed at the time of publication.

  • CVE-2026-27161Feb 20, 2026
    risk 0.00cvss epss 0.00

    GetSimple CMS is a content management system. All versions of GetSimple CMS rely on .htaccess files to restrict access to sensitive directories such as /data/ and /backups/. If Apache AllowOverride is disabled (common in hardened or shared hosting environments), these…

  • CVE-2026-27147Feb 20, 2026
    risk 0.00cvss epss 0.00

    GetSimple CMS is a content management system. All versions of GetSimple CMS are vulnerable to XSS through SVG file uploads. Authenticated users can upload SVG files via the administrative upload functionality, but they are not properly sanitized or restricted, allowing an…

  • CVE-2026-27146Feb 20, 2026
    risk 0.00cvss epss 0.00

    GetSimple CMS is a content management system. All versions of GetSimple CMS do not implement CSRF protection on the administrative file upload endpoint. As a result, an attacker can craft a malicious web page that silently triggers a file upload request from an authenticated…

  • CVE-2021-47860Jan 21, 2026
    risk 0.00cvss epss 0.00

    GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to…

  • CVE-2021-47830Jan 21, 2026
    risk 0.00cvss epss 0.00

    GetSimple CMS My SMTP Contact Plugin 1.1.1 contains a cross-site request forgery (CSRF) vulnerability. Attackers can craft a malicious webpage that, when visited by an authenticated administrator, can change SMTP configuration settings in the plugin. This may allow unauthorized…

  • CVE-2025-48492May 30, 2025
    risk 0.00cvss epss 0.01

    GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution (RCE).…

  • CVE-2024-55086Dec 18, 2024
    risk 0.00cvss epss 0.00

    In the GetSimple CMS CE 3.3.19 management page, Server-Side Request Forgery (SSRF) can be achieved in the plug-in download address in the backend management system.

  • CVE-2024-55085Dec 16, 2024
    risk 0.00cvss epss 0.01

    GetSimple CMS CE 3.3.19 suffers from arbitrary code execution in the template editing function in the background management system, which can be used by an attacker to implement RCE.

  • CVE-2024-11125Nov 12, 2024
    risk 0.00cvss epss 0.00

    A vulnerability was found in GetSimpleCMS 3.3.16 and classified as problematic. This issue affects some unknown processing of the file /admin/profile.php. The manipulation leads to cross-site request forgery. The attack may be initiated remotely. The exploit has been disclosed…

  • CVE-2015-5356Jul 1, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in admin/filebrowser.php in GetSimple CMS before 3.3.6 allows remote attackers to inject arbitrary web script or HTML via the func parameter.

  • CVE-2015-5355Jul 1, 2015
    risk 0.00cvss epss 0.02

    Multiple cross-site scripting (XSS) vulnerabilities in GetSimple CMS before 3.3.6 allow remote attackers to inject arbitrary web script or HTML via the (1) post-content or (2) post-title parameter to admin/edit.php.