CVE-2021-47860

EUVD-2026-3611
GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
VulnCheckCNA
5.3 MEDIUM
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Common Weakness Enumeration
References
http://get-simple.info
https://github.com/GetSimpleCMS/GetSimpleCMS
https://github.com/boku7/gsCMS-CustomJS-Csrf2Xss2Rce
https://www.exploit-db.com/exploits/49712
https://www.exploit-db.com/exploits/49816
https://www.vulncheck.com/advisories/getsimple-cms-custom-js-csrf-to-xss-to-rce