CVE-2021-47918 – Simple CMS 2.1 contains a remote SQL injection ... (How to Fix)

Q: What is the severity of CVE-2021-47918?

CVE-2021-47918 has a CVSS score of 8.1 (HIGH). Simple CMS 2.1 contains a remote SQL injection vulnerability in the users module that allows authenticated attackers to execute arbitrary SQL commands. This can lead to complete database compromise, data theft, or web application takeover. Only Simple CMS 2.1 installations with admin access are affected.

📋 TL;DR

Simple CMS 2.1 contains a remote SQL injection vulnerability in the users module that allows authenticated attackers to execute arbitrary SQL commands. This can lead to complete database compromise, data theft, or web application takeover. Only Simple CMS 2.1 installations with admin access are affected.

💻 Affected Systems

Products:

Simple CMS

Versions: 2.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin authentication to access the vulnerable admin.php file in the users module.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, remote code execution, or full web application takeover.

🟠

Likely Case

Database information disclosure, user credential theft, and potential administrative access to the CMS.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin credentials but uses simple SQL injection techniques against unvalidated parameters.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://simplephpscripts.com/simple-cms-php

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Add parameter validation and SQL injection filtering to admin.php user module parameters

Edit admin.php to add mysqli_real_escape_string() or prepared statements for all user inputs

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns targeting the users module

Add WAF rule: deny requests containing SQL keywords (SELECT, UNION, etc.) to admin.php

🧯 If You Can't Patch

Restrict admin.php access to specific IP addresses using .htaccess or firewall rules
Implement database user with minimal privileges (read-only where possible) for the web application

🔍 How to Verify

Check if Vulnerable:

Check if Simple CMS version is 2.1 and review admin.php for unvalidated SQL parameters in user functions

Check Version:

Check CMS version in admin panel or look for version information in source files

Verify Fix Applied:

Test SQL injection attempts against the users module parameters to confirm they are properly sanitized

📡 Detection & Monitoring

Log Indicators:

Multiple failed SQL queries in database logs
Unusual admin.php access patterns
SQL syntax errors in web server logs

Network Indicators:

HTTP POST requests to admin.php with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="*/admin.php*" AND (param="*SELECT*" OR param="*UNION*" OR param="*OR 1=1*")

📊 Metadata

CVE ID: CVE-2021-47918

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-89

Published: February 1, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy