Description
A security flaw has been discovered in CMS Made Simple up to 2.2.21. Impacted is an unknown function of the file admin/listusers.php of the component User Management Module. Performing a manipulation of the argument Message results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
Published: 2026-03-16
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross-Site Scripting
Action: Patch ASAP
AI Analysis

Impact

The vulnerability in CMS Made Simple allows an attacker to inject malicious scripts through the Message argument in admin/listusers.php of the User Management Module. This cross‑site scripting flaw can execute arbitrary JavaScript in the browsers of users who view the content, enabling cookie theft, session hijacking, site defacement, or the delivery of additional payloads. The flaw is classified as CWE-79.

Affected Systems

CMS Made Simple versions up to and including 2.2.21 are affected. The flaw resides in admin/listusers.php and can be triggered by manipulating the Message parameter.

Risk and Exploitability

The CVSS score of 4.8 indicates a moderate severity, while the EPSS score of less than 1% suggests a low likelihood of widespread exploitation. The vulnerability is not listed in the CISA KEV and the exploit code is publicly available. Attackers can remotely exploit the flaw by sending a crafted Message parameter to an authenticated or unauthenticated user who views the affected page.

Generated by OpenCVE AI on March 17, 2026 at 11:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade CMS Made Simple to a version newer than 2.2.21, or apply any vendor-provided patch that addresses the XSS issue.
  • If an immediate upgrade is not possible, restrict access to admin/listusers.php to privileged users only and validate or sanitize the Message input parameter to remove script content.
  • Disable or remove the User Management Module until a secure version is available.

Generated by OpenCVE AI on March 17, 2026 at 11:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 08:00:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in CMS Made Simple up to 2.2.21. Impacted is an unknown function of the file admin/listusers.php of the component User Management Module. Performing a manipulation of the argument Message results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
Title CMS Made Simple User Management listusers.php cross site scripting
First Time appeared Cms Made Simple
Cms Made Simple cms Made Simple
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:cms_made_simple:cms_made_simple:*:*:*:*:*:*:*:*
Vendors & Products Cms Made Simple
Cms Made Simple cms Made Simple
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:C'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Cms Made Simple Cms Made Simple
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-16T17:15:48.555Z

Reserved: 2026-03-15T18:36:51.235Z

Link: CVE-2026-4225

cve-icon Vulnrichment

Updated: 2026-03-16T17:15:38.640Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:20:15.227

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-4225

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:45:27Z

Weaknesses