Home

Description

CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path and uploading malicious PHP code through session file upload mechanisms.

PUBLISHED Reserved 2025-12-23 | Published 2025-12-23 | Updated 2025-12-23 | Assigner VulnCheck




HIGH: 8.6CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
MEDIUM: 5.5CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

Product status

CMSimple 5.4
affected

Credits

S1lv3r finder

References

www.exploit-db.com/exploits/50547 (ExploitDB-50547) exploit

www.cmsimple.org/en/ (Official CMSimple Homepage) product

www.vulncheck.com/...al-file-inclusion-remote-code-execution (VulnCheck Advisory: CMSimple 5.4 Authenticated Local File Inclusion Remote Code Execution) third-party-advisory

cve.org (CVE-2021-47734)

nvd.nist.gov (CVE-2021-47734)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.