Cyber Resilience

CVE-2021-47778

HighPublic PoCRCE

Published: 21 January 2026

Published
21 January 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v4 8.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0109 61.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2021-47778 is a high-severity Code Injection (CWE-94) vulnerability in Get-Simple Getsimplecms. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2021-47778 is a PHP code injection vulnerability (CWE-94) affecting the My SMTP Contact Plugin version 1.1.2 for GetSimple CMS. The flaw exists in the plugin's configuration parameters, which fail to properly sanitize user input, allowing arbitrary PHP code injection that leads to remote code execution on the server. Published on 2026-01-21, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

The vulnerability can be exploited by an authenticated administrator (PR:H), who requires high privileges but no user interaction (UI:N). Attackers can leverage network access (AV:N) with low complexity (AC:L) to inject malicious PHP code via the plugin settings, achieving high levels of confidentiality, integrity, and availability compromise (C:H/I:H/A:H). This enables full remote code execution, potentially allowing attackers to control the server, exfiltrate data, or install persistent malware.

Advisories and related resources, including a VulnCheck advisory (https://www.vulncheck.com/advisories/getsimple-cms-my-smtp-contact-plugin-php-code-injection), detail the issue and potential mitigations. Proof-of-concept exploits are publicly available on Exploit-DB (https://www.exploit-db.com/exploits/49774) and GitHub (https://github.com/boku7/gsSMTP-Csrf2Xss2RCE/), alongside GetSimple CMS resources (http://get-simple.info, https://github.com/GetSimpleCMS/GetSimpleCMS) that may provide patching guidance. Security practitioners should verify plugin updates or configuration hardening to prevent exploitation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

PHP code injection in web plugin directly enables exploitation of public-facing app (T1190) for RCE and web shell deployment (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2013-10032Same product: Get-Simple Getsimplecms
CVE-2021-47860Same product: Get-Simple Getsimplecms
CVE-2026-30117Shared CWE-94
CVE-2024-54724Shared CWE-94
CVE-2026-32367Shared CWE-94
CVE-2026-27044Shared CWE-94
CVE-2025-66224Shared CWE-94
CVE-2026-2296Shared CWE-94
CVE-2025-52744Shared CWE-94
CVE-2026-42607Shared CWE-94

Affected Assets

get-simple
getsimplecms
1.1.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely identification, reporting, and remediation of flaws such as the PHP code injection in My SMTP Contact Plugin 1.1.2, preventing exploitation through patching or removal.

prevent

Mandates information input validation mechanisms at plugin configuration entry points to sanitize user inputs and directly block arbitrary PHP code injection.

prevent

Prohibits or scans user-installed software like the vulnerable My SMTP Contact Plugin, preventing its deployment and subsequent code injection vulnerability.

References