CVE-2013-10032 HIGH

CVE-2013-10032: GetSimple CMS 3.2.1 Authenticated RCE via Arbitrary PHP File Upload

Vendor Getsimple Cms Project
Product GetSimple CMS
Weakness CWE-434 · Unrestricted file upload
Published July 25, 2025
Last update April 7, 2026

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

An authenticated remote code execution vulnerability exists in GetSimpleCMS version 3.2.1. The application’s upload.php endpoint allows authenticated users to upload arbitrary files without proper validation of MIME types or extensions. By uploading a .pht file containing PHP code, an attacker can bypass blacklist-based restrictions and place executable code within the web root. A crafted request using a polyglot or disguised extension allows the attacker to execute the payload by accessing the file directly via the web server. This vulnerability exists due to the use of a blacklist for filtering file types instead of a whitelist.

Key dates

02Disclosure timeline

July 25, 2025 CVE published
April 7, 2026 Record updated