CVE-2021-47919

6.4 MEDIUM
Cross-Site Scripting

📋 TL;DR

Simple CMS 2.1 contains a reflected cross-site scripting vulnerability in the preview.php file's id parameter. Attackers can craft malicious URLs containing JavaScript payloads that execute when victims visit them, potentially stealing session cookies or redirecting to phishing sites. This affects all Simple CMS 2.1 installations with the vulnerable preview.php file.

💻 Affected Systems

Products:
  • Simple CMS
Versions: 2.1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: The vulnerability exists in the default installation of Simple CMS 2.1. Any system running this version with the preview.php file accessible is vulnerable.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full control of the CMS, deface websites, or install backdoors for persistent access.

🟠

Likely Case

Attackers steal user session cookies to impersonate legitimate users, perform phishing attacks by redirecting to malicious sites, or deface website content temporarily.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts are neutralized before execution, preventing any client-side code injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires no authentication and involves simple URL manipulation with JavaScript payloads. Public proof-of-concept examples demonstrate basic alert() payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://simplephpscripts.com/simple-cms-php

Restart Required: No

Instructions:

1. Check vendor website for updated version. 2. If no patch available, implement workarounds. 3. Consider migrating to alternative CMS if vendor support is unavailable.

🔧 Temporary Workarounds

Input Validation and Output Encoding

all

Modify preview.php to validate and sanitize the id parameter before use.

Edit preview.php and add: $id = htmlspecialchars($_GET['id'], ENT_QUOTES, 'UTF-8'); before using $id variable

Content Security Policy Header

all

Implement CSP headers to restrict script execution sources.

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to PHP: header("Content-Security-Policy: default-src 'self'; script-src 'self'");

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block XSS payloads in GET parameters.
  • Disable or restrict access to preview.php if not required for functionality.

🔍 How to Verify

Check if Vulnerable:

Access preview.php with test payload: http://example.com/preview.php?id=<script>alert('XSS')</script> and check if alert executes.

Check Version:

Check CMS version in admin panel or look for version indicators in source code/comments.

Verify Fix Applied:

Test with same payload after applying fixes - alert should not execute and payload should be displayed as plain text.

📡 Detection & Monitoring

Log Indicators:

  • HTTP GET requests to preview.php containing <script>, javascript:, or other XSS patterns in URL parameters
  • Unusual parameter values in preview.php access logs

Network Indicators:

  • HTTP requests with suspicious JavaScript payloads in GET parameters
  • Multiple requests to preview.php with varying id parameters

SIEM Query:

source="web_logs" AND uri="/preview.php" AND (param="id" AND value MATCHES "(?i)(<script|javascript:|onload=|onerror=)")

📊 Metadata

CVE ID: CVE-2021-47919
CVSS v3 Score: 6.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: February 1, 2026
Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy

🔗 References

📤 Share This