CVE-2013-10032

UNKNOWN 0.0

GetSimple CMS 3.2.1 Authenticated RCE via Arbitrary PHP File Upload

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist.

CWE	CWE-434 CWE-306
Vendor	getsimple cms project
Product	getsimple cms
Published	Jul 25, 2025
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for getsimple cms project getsimple cms

Be the first to know when new unknown vulnerabilities affecting getsimple cms project getsimple cms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

GetSimple CMS Project / GetSimple CMS

3.2.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

raw.githubusercontent.com: https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/unix/webapp/get_simple_cms_upload_exec.rb exploit-db.com: https://www.exploit-db.com/exploits/25405 broadcom.com: https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=27895 fortiguard.com: https://www.fortiguard.com/encyclopedia/ips/39295 get-simple.info: https://get-simple.info vulncheck.com: https://www.vulncheck.com/advisories/getsimple-cms-auth-rce-via-arbitrary-php-file-upload

Credits

Ahmed Elhady Mohamed