Cmsimple: >> Cmsimple >> 5.4 Security Vulnerabilities
CMSimple 5.4 contains an authenticated local file inclusion vulnerability that allows remote attackers to manipulate PHP session files and execute arbitrary code. Attackers can leverage the vulnerability by changing the functions file path and uploading malicious PHP code through session file upload mechanisms.
CVSS Score
7.8
EPSS Score
0.003
Published
2025-12-23
CMSimple 5.4 contains an authenticated remote code execution vulnerability that allows logged-in attackers to inject malicious PHP code into template files. Attackers can exploit the template editing functionality by crafting a reverse shell payload and saving it through the template editing endpoint with a valid CSRF token.
CVSS Score
8.8
EPSS Score
0.003
Published
2025-12-23
CMSimple 5.4 contains a cross-site scripting vulnerability that allows attackers to bypass input filtering by using HTML to Unicode encoding. Attackers can inject malicious scripts by encoding payloads like ')-alert(1)// and execute arbitrary JavaScript when victims interact with delete buttons.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-12-23
CMSimple 5.4 is vulnerable to Directory Traversal. The vulnerability exists when a user changes the file name to malicious file on config.php leading to remote code execution.
CVSS Score
9.8
EPSS Score
0.114
Published
2022-04-13
CMSimple 5.4 is vulnerable to Cross Site Scripting (XSS) via the file upload feature.
CVSS Score
5.4
EPSS Score
0.002
Published
2022-04-13