CVE-2021-47778
Published: 21 January 2026
Summary
CVE-2021-47778 is a high-severity Code Injection (CWE-94) vulnerability in Get-Simple Getsimplecms. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 21.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.
Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.
Validates inputs used in dynamic code generation to block injected directives.
Directly prevents execution of attacker-supplied code written into data memory regions.
NVD Description
GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server.
Deeper analysisAI
CVE-2021-47778 is a PHP code injection vulnerability (CWE-94) affecting the My SMTP Contact Plugin version 1.1.2 for GetSimple CMS. The flaw exists in the plugin's configuration parameters, which fail to properly sanitize user input, allowing arbitrary PHP code injection that leads to remote code execution on the server. Published on 2026-01-21, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability can be exploited by an authenticated administrator (PR:H), who requires high privileges but no user interaction (UI:N). Attackers can leverage network access (AV:N) with low complexity (AC:L) to inject malicious PHP code via the plugin settings, achieving high levels of confidentiality, integrity, and availability compromise (C:H/I:H/A:H). This enables full remote code execution, potentially allowing attackers to control the server, exfiltrate data, or install persistent malware.
Advisories and related resources, including a VulnCheck advisory (https://www.vulncheck.com/advisories/getsimple-cms-my-smtp-contact-plugin-php-code-injection), detail the issue and potential mitigations. Proof-of-concept exploits are publicly available on Exploit-DB (https://www.exploit-db.com/exploits/49774) and GitHub (https://github.com/boku7/gsSMTP-Csrf2Xss2RCE/), alongside GetSimple CMS resources (http://get-simple.info, https://github.com/GetSimpleCMS/GetSimpleCMS) that may provide patching guidance. Security practitioners should verify plugin updates or configuration hardening to prevent exploitation.
Details
- CWE(s)