CVE-2021-47736

EUVD-2025-204838
CMSimple_XH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can exploit the CSRF token mechanism to create a PHP shell file that enables arbitrary command execution on the server.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
VulnCheckCNA
7.2 HIGH
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
Affected Products (NVD)
VendorProductVersion
cmsimple-xhcmsimple_xh
1.7.4
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.cmsimple-xh.org/
https://www.exploit-db.com/exploits/50367
https://www.vulncheck.com/advisories/cmsimplexh-authenticated-remote-code-execution-via-content-editing