CVE-2021-47860 HIGH

CVE-2021-47860: GetSimple CMS Custom JS 0.1 - CSRF to XSS to RCE

Vendor Getsimple Cms
Product Custom JS Plugin
Weakness CWE-352 · CSRF
Published January 21, 2026
Last update April 7, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

GetSimple CMS Custom JS 0.1 plugin contains a cross-site request forgery vulnerability that allows unauthenticated attackers to inject arbitrary client-side code into administrator browsers. Attackers can craft a malicious website that triggers a cross-site scripting payload to execute remote code on the hosting server when an authenticated administrator visits the page.

Key dates

02Disclosure timeline

January 21, 2026 CVE published
April 7, 2026 Record updated