Cms Made Simple · Cms Made Simple · CVE-2018-1000158
**Name of the Vulnerable Software and Affected Versions**
cmsmadesimple version 2.2.7
**Description**
The issue is related to an Incorrect Access Control vulnerability in the `send recovery email` function. This vulnerability can lead to Administrator Password Reset Poisoning, where an attacker can create a reset URL pointing to an attacker-controlled server by using a host header attack.
**Recommendations**
For cmsmadesimple version 2.2.7, consider disabling the `send recovery email` function until a patch is available to prevent potential exploitation. Additionally, restrict access to the recovery email feature to minimize the risk of abuse.