Description
GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling a remote unauthenticated attacker to exploit this via Cross-Site Request Forgery against a logged-in admin, achieving Remote Code Execution (RCE) on the web server.
Published: 2026-03-10
Score: 9.7 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

This vulnerability exists in the massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22. The gsconfig editor module fails to include any cross-site request forgery protection. An attacker who can send a crafted request to the editor form can cause the server to write arbitrary PHP code into the gsconfig.php configuration file. Because a logged-in administrator’s session is used, the injected code executes with the web server’s account, giving the attacker full remote code execution capabilities. The weakness aligns with CWE-352, a cross-site request forgery flaw that enables privileged actions without authentication.

Affected Systems

Affected systems are instances of GetSimple CMS Community Edition running version 3.3.22 that include the massiveAdmin plugin version 6.0.3. The plugin adds the vulnerable gsconfig editor functionality. Any deployment that has not applied a newer CMS release or removed the plugin is at risk.

Risk and Exploitability

The CVSS score is 9.7, indicating critical severity, while the EPSS score is less than 1%, suggesting that, at the time of scoring, the exploitation probability is very low but not zero. The vulnerability is not listed in the CISA KEV catalog. An attacker can exploit the CSRF vector by convincing a logged-in administrator to visit a malicious URL that POSTs data to the editor endpoint, causing the server to write malicious PHP code to gsconfig.php. Once the file is processed by the web server, arbitrary code runs with the same privileges as the web process. Because the target is a logged-in administrator, the offset attack requires the victim to be authenticated, but the request can be triggered from an external site.

Generated by OpenCVE AI on April 16, 2026 at 03:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest GetSimple CMS Community Edition that removes the vulnerable massiveAdmin plugin or apply any vendor-released patch that corrects the CSRF protection on the gsconfig editor.
  • If an upgrade is unavailable, uninstall or disable the massiveAdmin plugin and the gsconfig editor module to eliminate the code-write capability.
  • Restrict access to the CMS’s administrative interface to the minimum necessary users and, if possible, protect the admin interface with IP-based or two-factor authentication to reduce the window for a CSRF attack.
  • Add anti-CSRF tokens to all forms within the admin interface or enable any framework-level CSRF mechanism to prevent unauthorized form submissions.

Generated by OpenCVE AI on April 16, 2026 at 03:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 12 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:getsimple-ce:getsimple_cms:*:*:*:*:community:*:*:*

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Getsimple-ce
Getsimple-ce getsimple Cms
Vendors & Products Getsimple-ce
Getsimple-ce getsimple Cms

Tue, 10 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
Description GetSimple CMS is a content management system. The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. The form lacks CSRF protection, enabling a remote unauthenticated attacker to exploit this via Cross-Site Request Forgery against a logged-in admin, achieving Remote Code Execution (RCE) on the web server.
Title GetSimple CMS has CSRF to Remote Code Execution via Arbitrary PHP Write in gsconfig.php
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 9.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Getsimple-ce Getsimple Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-10T19:51:57.515Z

Reserved: 2026-02-27T20:57:47.708Z

Link: CVE-2026-28495

cve-icon Vulnrichment

Updated: 2026-03-10T19:51:52.847Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-10T20:16:37.663

Modified: 2026-03-12T18:21:10.780

Link: CVE-2026-28495

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T03:30:06Z

Weaknesses