GetSimple CMS My SMTP Contact Plugin 1.1.2 - PHP Code Injection | Advisories

Advisories

GetSimple CMS My SMTP Contact Plugin 1.1.2 - PHP Code Injection

severity: high
date: January 21, 2026
Affecting: My SMTP Contact Plugin 1.1.2
CVE: CVE-2021-47778
CWE: CWE-94 Improper Neutralization of Special Elements used in a Command ('PHP Code Injection')
CVSS: 8.6
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: ExploitDB-49774
Vendor Homepage
GetSimple CMS GitHub Repository
Full Disclosure Repository
Credit: Bobby Cooke (boku)
Description: GetSimple CMS My SMTP Contact Plugin 1.1.2 contains a PHP code injection vulnerability. An authenticated administrator can inject arbitrary PHP code through plugin configuration parameters, leading to remote code execution on the server.