CVE-2021-47735

HighPublic PoC

Published: 23 December 2025

Published

23 December 2025

Modified

31 December 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0049 65.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

CMSimple 5.4 contains an authenticated remote code execution vulnerability that allows logged-in attackers to inject malicious PHP code into template files. Attackers can exploit the template editing functionality by crafting a reverse shell payload and saving it through the template…

editing endpoint with a valid CSRF token.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly addresses the inadequate input validation in the template editing endpoint that enables PHP code injection.

CM-5 Access Restrictions for Change good match

prevent

Restricts access to template file modifications, preventing low-privilege authenticated users from injecting malicious code.

SI-2 Flaw Remediation good match

prevent

Mandates remediation of the specific code injection flaw in CMSimple's template editing functionality through patching.

Security SummaryAI

CVE-2021-47735 is an authenticated remote code execution vulnerability in CMSimple 5.4, classified under CWE-94 (Code Injection). It stems from inadequate input validation in the template editing functionality, enabling attackers to inject arbitrary PHP code into template files. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to network accessibility and potential for complete system compromise.

Logged-in users with low privileges can exploit this flaw by crafting a malicious PHP payload, such as a reverse shell, and submitting it via the template editing endpoint accompanied by a valid CSRF token. Successful exploitation grants remote code execution on the server, allowing attackers to execute arbitrary commands, potentially leading to full server control, data exfiltration, or further lateral movement within the environment.

Advisories from Vulncheck detail the authenticated RCE via template editing, while Exploit-DB provides a proof-of-concept exploit (ID 50356). Security practitioners should refer to the CMSimple.org website and these resources for any available patches, updates, or mitigation guidance, as no specific remediation details are outlined in the core vulnerability description.

Details

CWE(s): CWE-94

Affected Products

cmsimple

5.4

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1221 Template Injection Stealth

Adversaries may create or modify references in user document templates to conceal malicious code or force authentication attempts.

attack.mitre.org →

Why these techniques?

Authenticated RCE via code injection in template editing of public-facing CMSimple CMS directly enables T1190 (Exploit Public-Facing Application) and T1221 (Template Injection).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.cmsimple.org/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/50356
Exploit · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/cmsimple-authenticated-remote-code-execution-via-template-editing
Third Party Advisory · disclosure@vulncheck.com