GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator's browser when visiting a malicious page.
References
| Link | Resource |
|---|---|
| http://get-simple.info | Product |
| https://github.com/GetSimpleCMS/GetSimpleCMS | Product |
| https://github.com/boku7/gsSMTP-Csrf2Xss2RCE/ | Exploit Third Party Advisory |
| https://www.exploit-db.com/exploits/49798 | Exploit Third Party Advisory VDB Entry |
| https://www.vulncheck.com/advisories/getsimple-cms-my-smtp-contact-plugin-stored-xss | Third Party Advisory |
Configurations
History
06 Mar 2026, 20:10
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Get-simple
Get-simple getsimplecms |
|
| CPE | cpe:2.3:a:get-simple:getsimplecms:1.1.2:*:*:*:*:*:*:* | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 5.4 |
| References | () http://get-simple.info - Product | |
| References | () https://github.com/GetSimpleCMS/GetSimpleCMS - Product | |
| References | () https://github.com/boku7/gsSMTP-Csrf2Xss2RCE/ - Exploit, Third Party Advisory | |
| References | () https://www.exploit-db.com/exploits/49798 - Exploit, Third Party Advisory, VDB Entry | |
| References | () https://www.vulncheck.com/advisories/getsimple-cms-my-smtp-contact-plugin-stored-xss - Third Party Advisory |
21 Jan 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-21 18:16
Updated : 2026-03-06 20:10
NVD link : CVE-2021-47870
Mitre link : CVE-2021-47870
CVE.ORG link : CVE-2021-47870
JSON object : View
Products Affected
get-simple
- getsimplecms
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')