CVE-2026-28495

Name of the Vulnerable Software and Affected Versions GetSimple CMS versions 3.3.22 massiveAdmin plugin version 6.0.3

Description GetSimple CMS, when used with the massiveAdmin plugin version 6.0.3, allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code through the gsconfig editor module. The form lacks Cross-Site Request Forgery (CSRF) protection, enabling a remote unauthenticated attacker to exploit this through CSRF against a logged-in administrator, potentially leading to Remote Code Execution (RCE) on the web server. This can be triggered by a malicious email containing an embedded form, resulting in a full server compromise.

Recommendations For GetSimple CMS version 3.3.22 and massiveAdmin plugin version 6.0.3, ensure proper CSRF protection is implemented for the gsconfig editor module to prevent unauthorized modification of the gsconfig.php file.