A stored cross scripting (XSS) vulnerability in CMS Made Simple 2.2.14 allows authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload entered into the βEmail address to receive notification of news submissionβ parameter under the βOptionsβ module.