CVE-2021-47860

MEDIUM 5.3

GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE

CVSS Score

5.3

EPSS Score

0.0%

EPSS Percentile

0th

GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page.

CWE	CWE-352
Vendor	getsimple cms
Product	custom js plugin
Published	Jan 21, 2026
Last Updated	Apr 7, 2026

Stay Ahead of the Next One

Get instant alerts for getsimple cms custom js plugin

Be the first to know when new medium vulnerabilities affecting getsimple cms custom js plugin are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Affected Versions

GetSimple CMS / Custom JS Plugin

0.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/49816 get-simple.info: http://get-simple.info github.com: https://github.com/GetSimpleCMS/GetSimpleCMS github.com: https://github.com/boku7/gsCMS-CustomJS-Csrf2Xss2Rce exploit-db.com: https://www.exploit-db.com/exploits/49712 vulncheck.com: https://www.vulncheck.com/advisories/getsimple-cms-custom-js-csrf-to-xss-to-rce

Credits

Bobby Cooke (boku) & Abhishek Joshi