CVE-2021-47734

EUVD-2025-204835
CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path and uploading malicious PHP code through session file upload mechanisms.
PHP Remote File Inclusion
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
VulnCheckCNA
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 25%
Affected Products (NVD)
VendorProductVersion
cmsimplecmsimple
5.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.cmsimple.org/en/
https://www.exploit-db.com/exploits/50547
https://www.vulncheck.com/advisories/cmsimple-authenticated-local-file-inclusion-remote-code-execution