GetSimple CMS My SMTP Contact Plugin PHP Code Injection Vulnerability Allowing Remote Code Execution
Vulnerability
A PHP code injection vulnerability has been identified in the My SMTP Contact plugin for GetSimple CMS, specifically in versions through 1.1.2. This vulnerability allows an authenticated administrator to inject arbitrary PHP code via the plugin's configuration parameters. The injected code can be executed remotely on the server.
Impact
Exploitation of this vulnerability allows for arbitrary PHP code execution on the server where the affected plugin is installed.
Reproduction
To reproduce this vulnerability, an authenticated administrator must navigate to the My SMTP Contact plugin's configuration page within the GetSimple CMS admin console. Once there, the administrator can inject PHP code into specific fields that accept user input. After saving the configuration, the injected code will be executed on the server.
Remediation
Users can update to My SMTP Contact Plugin version 1.1.2 or later, which addresses this vulnerability by implementing proper input sanitization and validation.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.