CVE-2021-47870

GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator's browser when visiting a malicious page.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
http://get-simple.info	Product
https://github.com/GetSimpleCMS/GetSimpleCMS	Product
https://github.com/boku7/gsSMTP-Csrf2Xss2RCE/	Exploit Third Party Advisory
https://www.exploit-db.com/exploits/49798	Exploit Third Party Advisory VDB Entry
https://www.vulncheck.com/advisories/getsimple-cms-my-smtp-contact-plugin-stored-xss	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:get-simple:getsimplecms:1.1.2:*:*:*:*:*:*:*

History

29 Apr 2026, 01:00

Type	Values Removed	Values Added
Summary		(es) GetSimple CMS My SMTP Contact Plugin 1.1.2 sufre de una vulnerabilidad de Cross-Site Scripting Almacenado (XSS). El plugin intenta sanear la entrada del usuario usando htmlspecialchars(), pero esto puede ser eludido al pasar caracteres peligrosos como bytes hexadecimales escapados. Esto permite a los atacantes inyectar código arbitrario del lado del cliente que se ejecuta en el navegador del administrador al visitar una página maliciosa.

06 Mar 2026, 20:10

Type	Values Removed	Values Added
References	~~() http://get-simple.info -~~	() http://get-simple.info - Product
References	~~() https://github.com/GetSimpleCMS/GetSimpleCMS -~~	() https://github.com/GetSimpleCMS/GetSimpleCMS - Product
References	~~() https://github.com/boku7/gsSMTP-Csrf2Xss2RCE/ -~~	() https://github.com/boku7/gsSMTP-Csrf2Xss2RCE/ - Exploit, Third Party Advisory
References	~~() https://www.exploit-db.com/exploits/49798 -~~	() https://www.exploit-db.com/exploits/49798 - Exploit, Third Party Advisory, VDB Entry
References	~~() https://www.vulncheck.com/advisories/getsimple-cms-my-smtp-contact-plugin-stored-xss -~~	() https://www.vulncheck.com/advisories/getsimple-cms-my-smtp-contact-plugin-stored-xss - Third Party Advisory
First Time		Get-simple Get-simple getsimplecms
CPE		cpe:2.3:a:get-simple:getsimplecms:1.1.2:::::::*
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4

21 Jan 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-21 18:16

Updated : 2026-04-29 01:00

NVD link : CVE-2021-47870

Mitre link : CVE-2021-47870

CVE.ORG link : CVE-2021-47870

JSON object : View

Products Affected

get-simple

getsimplecms

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10