CMSimple 5.4 Authenticated Local File Inclusion Remote Code Execution

Advisories

severity: high
date: December 23, 2025
Affecting: CMSimple 5.4
CVE: CVE-2021-47734
CWE: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CVSS: 8.6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-50547
Official CMSimple Homepage
Credit: S1lv3r
Description: CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path and uploading malicious PHP code through session file upload mechanisms.