CVE-2021-47870 MEDIUM

CVE-2021-47870: GetSimple CMS My SMTP Contact Plugin 1.1.2 - Stored XSS

Vendor Getsimple Cms
Product My SMTP Contact Plugin
Weakness CWE-79 · XSS
Published January 21, 2026
Last update May 12, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

GetSimple CMS My SMTP Contact Plugin 1.1.2 suffers from a Stored Cross-Site Scripting (XSS) vulnerability. The plugin attempts to sanitize user input using htmlspecialchars(), but this can be bypassed by passing dangerous characters as escaped hex bytes. This allows attackers to inject arbitrary client-side code that executes in the administrator's browser when visiting a malicious page.

Key dates

02Disclosure timeline

January 21, 2026 CVE published
May 12, 2026 Record updated