CVE-2021-47870 | THREATINT

Description

GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator's browser when visiting a malicious page.

PUBLISHED Reserved 2026-01-18 | Published 2026-01-21 | Updated 2026-01-22 | Assigner VulnCheck

MEDIUM: 5.4CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

Improper Neutralization of Input During Web Page Generation ('Stored Cross-site Scripting')

Product status

1.1.2

affected

Credits

Bobby Cooke (boku) finder

References

github.com/boku7/gsSMTP-Csrf2Xss2RCE/ (Full Disclosure Repository) technical-description exploit

get-simple.info (Vendor Homepage) product

github.com/GetSimpleCMS/GetSimpleCMS (GetSimple CMS GitHub Repository) product

www.exploit-db.com/exploits/49798 (ExploitDB-49798) exploit

www.vulncheck.com/...e-cms-my-smtp-contact-plugin-stored-xss (VulnCheck Advisory: GetSimple CMS My SMTP Contact Plugin 1.1.2 - Stored XSS) third-party-advisory

cve.org (CVE-2021-47870)

nvd.nist.gov (CVE-2021-47870)

Download JSON