CmsmadesimpleCVEs & Vulnerabilities

157 CVEs affecting Cmsmadesimple products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

cms made simple 832form builder 3bable\ 1cmsmadesimple 1file manager 1
CVE-2025-63678HIGH

An authenticated arbitrary file upload vulnerability in the /uploads/ endpoint of CMS Made Simple Foundation File Manager v2.2.22 allows attackers with Administrator privileges to execute arbitrary code via uploading a crafted PHP file.

11 Nov 2025
7.2
CVSS
CVE-2025-5153MEDIUM

A vulnerability, which was classified as problematic, has been found in CMS Made Simple 2.2.21. This issue affects some unknown processing of the component Design Manager Module. The manipulation of the argument Description leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

25 May 2025
4.8
CVSS
CVE-2024-1529MEDIUM

Vulnerability in CMS Made Simple 2.2.14, which does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/adduser.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially take over their browser session.

12 Mar 2024
6.1
CVSS
CVE-2024-1528MEDIUM

CMS Made Simple version 2.2.14, does not sufficiently encode user-controlled input, resulting in a Cross-Site Scripting (XSS) vulnerability through /admin/moduleinterface.php, in multiple parameters. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to an authenticated user and partially hijack their browser session.

12 Mar 2024
6.1
CVSS
CVE-2024-1527HIGH

Unrestricted file upload vulnerability in CMS Made Simple, affecting version 2.2.14. This vulnerability allows an authenticated user to bypass the security measures of the upload functionality and potentially create a remote execution of commands via webshell.

12 Mar 2024
8.8
CVSS
CVE-2024-27625MEDIUM

CMS Made Simple Version 2.2.19 is vulnerable to Cross Site Scripting (XSS). This vulnerability resides in the File Manager module of the admin panel. Specifically, the issue arises due to inadequate sanitization of user input in the "New directory" field.

5 Mar 2024
4.8
CVSS
CVE-2024-27623MEDIUM

CMS Made Simple version 2.2.19 is vulnerable to Server-Side Template Injection (SSTI). The vulnerability exists within the Design Manager, particularly when editing the Breadcrumbs.

5 Mar 2024
5.9
CVSS
CVE-2024-27622HIGH

A remote code execution vulnerability has been identified in the User Defined Tags module of CMS Made Simple version 2.2.19 / 2.2.21. This vulnerability arises from inadequate sanitization of user-supplied input in the 'Code' section of the module. As a result, authenticated users with administrative privileges can inject and execute arbitrary PHP code.

5 Mar 2024
7.2
CVSS
CVE-2023-43352HIGH

An issue in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload to the Content Manager Menu component.

27 Oct 2023
7.8
CVSS
CVE-2023-43360MEDIUM

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Top Directory parameter in the File Picker Menu component.

25 Oct 2023
5.4
CVSS
CVE-2023-43358MEDIUM

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the News Menu component.

24 Oct 2023
5.4
CVSS
CVE-2023-43357MEDIUM

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Title parameter in the Manage Shortcuts component.

21 Oct 2023
5.4
CVSS
CVE-2023-43356MEDIUM

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Global Meatadata parameter in the Global Settings Menu component.

21 Oct 2023
5.4
CVSS
CVE-2023-43355MEDIUM

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the password and password again parameters in the My Preferences - Add user component.

21 Oct 2023
5.4
CVSS
CVE-2023-43354MEDIUM

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Profiles parameter in the Extensions -MicroTiny WYSIWYG editor component.

21 Oct 2023
5.4
CVSS
CVE-2023-43353MEDIUM

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the extra parameter in the news menu component.

21 Oct 2023
5.4
CVSS
CVE-2023-43359MEDIUM

Cross Site Scripting vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted script to the Page Specific Metadata and Smarty data parameters in the Content Manager Menu component.

20 Oct 2023
5.4
CVSS
CVE-2023-43872MEDIUM

A File upload vulnerability in CMSmadesimple v.2.2.18 allows a local attacker to upload a pdf file with hidden Cross Site Scripting (XSS).

28 Sep 2023
5.4
CVSS
CVE-2023-43339MEDIUM

Cross-Site Scripting (XSS) vulnerability in cmsmadesimple v.2.2.18 allows a local attacker to execute arbitrary code via a crafted payload injected into the Database Name, DataBase User or Database Port components.

25 Sep 2023
6.1
CVSS
CVE-2023-36970MEDIUM

A Cross-site scripting (XSS) vulnerability in CMS Made Simple v2.2.17 allows remote attackers to inject arbitrary web script or HTML via the File Upload function.

6 Jul 2023
5.4
CVSS
CVE-2023-36969HIGH

CMS Made Simple v2.2.17 is vulnerable to Remote Command Execution via the File Upload Function.

6 Jul 2023
8.8
CVSS
CVE-2021-28999HIGH

SQL Injection vulnerability in CMS Made Simple through 2.2.15 allows remote attackers to execute arbitrary commands via the m1_sortby parameter to modules/News/function.admin_articlestab.php.

8 May 2023
8.8
CVSS
CVE-2021-28998HIGH

File upload vulnerability in CMS Made Simple through 2.2.15 allows remote authenticated attackers to gain a webshell via a crafted phar file.

8 May 2023
7.2
CVSS
CVE-2021-40961HIGH

CMS Made Simple <=2.2.15 is affected by SQL injection in modules/News/function.admin_articlestab.php. The $sortby variable is concatenated with $query1, but it is possible to inject arbitrary SQL language without using the '.

9 Jun 2022
8.8
CVSS
CVE-2021-43154MEDIUM

Cross Site Scripting (XSS) vulnerability exists in CMS Made Simple 2.2.15 via the Name field in an Add Category action in moduleinterface.php.

14 Apr 2022
6.1
CVSS
CVE-2022-23907MEDIUM

CMS Made Simple v2.2.15 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the parameter m1_fmmessage.

1 Mar 2022
6.1
CVSS
CVE-2022-23906HIGH

CMS Made Simple v2.2.15 was discovered to contain a Remote Command Execution (RCE) vulnerability via the upload avatar function. This vulnerability is exploited via a crafted image file.

1 Mar 2022
7.2
CVSS
CVE-2020-23481MEDIUM

CMS Made Simple 2.2.14 was discovered to contain a cross-site scripting (XSS) vulnerability which allows attackers to execute arbitrary web scripts or HTML via a crafted payload in the Field Definition text field.

22 Sep 2021
5.4
CVSS
CVE-2019-9060HIGH

An issue was discovered in CMS Made Simple 2.2.8. It is possible to achieve unauthenticated path traversal in the CGExtensions module (in the file action.setdefaulttemplate.php) with the m1_filename parameter; and through the action.showmessage.php file, it is possible to read arbitrary file content (by using that path traversal with m1_prefname set to cg_errormsg and m1_resettodefault=1).

17 Sep 2021
7.5
CVSS
CVE-2020-22732MEDIUM

CMS Made Simple (CMSMS) 2.2.14 allows stored XSS via the Extensions > Fie Picker..

5 Aug 2021
4.8
CVSS
CVE-2020-23241MEDIUM

Cross Site Scripting (XSS) vulnerability in CMS Made Simple 2.2.14 in "Extra" via 'News > Article" feature.

27 Jul 2021
4.8
CVSS
CVE-2020-23240MEDIUM

Cross Site Scripting (XSS) vulnerablity in CMS Made Simple 2.2.14 via the Logic field in the Content Manager feature.

27 Jul 2021
4.8
CVSS
CVE-2020-36416MEDIUM

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Design" parameter under the "Designs" module.

2 Jul 2021
5.4
CVSS
CVE-2020-36415MEDIUM

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Create a new Stylesheet" parameter under the "Stylesheets" module.

2 Jul 2021
5.4
CVSS
CVE-2020-36414MEDIUM

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "URL (slug)" or "Extra" fields under the "Add Article" feature.

2 Jul 2021
5.4
CVSS
CVE-2020-36413MEDIUM

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Exclude these IP addresses from the "Site Down" status" parameter under the "Maintenance Mode" module.

2 Jul 2021
5.4
CVSS
CVE-2020-36412MEDIUM

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Search Text" field under the "Admin Search" module.

2 Jul 2021
5.4
CVSS
CVE-2020-36411MEDIUM

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Path for the {page_image} tag:" or "Path for thumbnail field:" parameters under the "Content Editing Settings" module.

2 Jul 2021
5.4
CVSS
CVE-2020-36410MEDIUM

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Email address to receive notification of news submission" parameter under the "Options" module.

2 Jul 2021
5.4
CVSS
CVE-2020-36409MEDIUM

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add Category" parameter under the "Categories" module.

2 Jul 2021
5.4
CVSS
CVE-2020-36408MEDIUM

A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the "Add Shortcut" parameter under the "Manage Shortcuts" module.

2 Jul 2021
5.4
CVSS
CVE-2020-27377MEDIUM

A cross-site scripting (XSS) vulnerability was discovered in the Administrator panel on the 'Setting News' module on CMS Made Simple 2.2.14 which allows an attacker to execute arbitrary web scripts.

1 Jun 2021
4.8
CVSS
CVE-2021-28935MEDIUMpoc

CMS Made Simple (CMSMS) 2.2.15 allows authenticated XSS via the /admin/addbookmark.php script through the Site Admin > My Preferences > Title field.

30 Mar 2021
5.4
CVSS
CVE-2020-20138MEDIUM

Cross Site Scripting (XSS) vulnerability in the Showtime2 Slideshow module in CMS Made Simple (CMSMS) 2.2.4.

18 Dec 2020
6.1
CVSS
CVE-2020-24860MEDIUM

CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.

1 Oct 2020
5.4
CVSS
CVE-2020-22842MEDIUM

CMS Made Simple before 2.2.15 allows XSS via the m1_mod parameter in a ModuleManager local_uninstall action to admin/moduleinterface.php.

30 Sep 2020
5.4
CVSS
CVE-2020-17462HIGH

CMS Made Simple 2.2.14 allows Authenticated Arbitrary File Upload because the File Manager does not block .ptar files, a related issue to CVE-2017-16798.

14 Aug 2020
7.8
CVSS
CVE-2020-14926MEDIUM

CMS Made Simple 2.2.14 allows XSS via a Search Term to the admin/moduleinterface.php?mact=ModuleManager page.

19 Jun 2020
5.4
CVSS
← PrevPage 1 / 4Next →