CVE-2021-47870

low-risk

Published 2026-01-21

GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator's browser when visiting a malicious page.

Do I need to act?

0.09% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Getsimplecms

Affected Vendors

Get-Simple

References (5)

Product http://get-simple.info

Product https://github.com/GetSimpleCMS/GetSimpleCMS

Exploit https://github.com/boku7/gsSMTP-Csrf2Xss2RCE/

Exploit https://www.exploit-db.com/exploits/49798

Third Party Advisory https://www.vulncheck.com/advisories/getsimple-cms-my-smtp-contact-plugin-stored...

/ 100

low-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal