cbcvebase.
CVE-2022-41544
published 2022-10-18

CVE-2022-41544: GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.44%
94.8th percentile
GetSimple CMS v3.3.16 was discovered to contain a remote code execution (RCE) vulnerability via the edited_file parameter in admin/theme-edit.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
get-simplegetsimple_cms

Detection & IOCsextracted from sources · hover to see the quote

pathadmin/theme-edit.php
pathadmin/index.php
commandproc_open with reverse shell via /bin/sh redirecting stdin/stdout/stderr to socket
  • Monitor POST requests to admin/theme-edit.php containing the 'edited_file' parameter, which is the injection point for RCE in GetSimple CMS v3.3.16.
  • The exploit leaks the API key from the CMS installation (api_leak function) and uses it to forge authentication cookies before uploading a PHP reverse shell — detect unauthenticated or anomalous API key retrieval requests followed by theme-edit POST activity.
  • The exploit fetches a CSRF nonce (nonce = get_csrf_token) and then calls upload_shell followed by shell_trigger — look for rapid sequential GET then POST requests to admin endpoints from the same source IP.
  • The PHP reverse shell payload uses proc_open() with file descriptors redirected to a raw TCP socket — detect PHP files in the theme directory containing 'proc_open' combined with socket descriptor redirection patterns ($sock, 1 => $sock, 2 => $sock).
  • ·The exploit targets specifically GetSimple CMS v3.3.16; version detection is performed by the attacker before exploitation, so ensure version strings are not exposed in page source.
  • ·Authentication is bypassed via API key leakage combined with forged cookies (set_cookies using username, version, and apikey) — the vulnerability is exploitable even without knowing valid credentials if the API key is accessible.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.