CVE-2021-47778
Published: 21 January 2026
Summary
CVE-2021-47778 is a high-severity Code Injection (CWE-94) vulnerability in Get-Simple Getsimplecms. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2021-47778 is a PHP code injection vulnerability (CWE-94) affecting the My SMTP Contact Plugin version 1.1.2 for GetSimple CMS. The flaw exists in the plugin's configuration parameters, which fail to properly sanitize user input, allowing arbitrary PHP code injection that leads to remote code execution on the server. Published on 2026-01-21, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
The vulnerability can be exploited by an authenticated administrator (PR:H), who requires high privileges but no user interaction (UI:N). Attackers can leverage network access (AV:N) with low complexity (AC:L) to inject malicious PHP code via the plugin settings, achieving high levels of confidentiality, integrity, and availability compromise (C:H/I:H/A:H). This enables full remote code execution, potentially allowing attackers to control the server, exfiltrate data, or install persistent malware.
Advisories and related resources, including a VulnCheck advisory (https://www.vulncheck.com/advisories/getsimple-cms-my-smtp-contact-plugin-php-code-injection), detail the issue and potential mitigations. Proof-of-concept exploits are publicly available on Exploit-DB (https://www.exploit-db.com/exploits/49774) and GitHub (https://github.com/boku7/gsSMTP-Csrf2Xss2RCE/), alongside GetSimple CMS resources (http://get-simple.info, https://github.com/GetSimpleCMS/GetSimpleCMS) that may provide patching guidance. Security practitioners should verify plugin updates or configuration hardening to prevent exploitation.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3660
Vulnerability details
GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
PHP code injection in web plugin directly enables exploitation of public-facing app (T1190) for RCE and web shell deployment (T1100).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and remediation of flaws such as the PHP code injection in My SMTP Contact Plugin 1.1.2, preventing exploitation through patching or removal.
Mandates information input validation mechanisms at plugin configuration entry points to sanitize user inputs and directly block arbitrary PHP code injection.
Prohibits or scans user-installed software like the vulnerable My SMTP Contact Plugin, preventing its deployment and subsequent code injection vulnerability.