Platform
php
Component
my-smtp-contact-plugin
Fixed in
1.1.2
CVE-2021-47830 describes a cross-site request forgery (CSRF) vulnerability affecting versions 1.1.1–1.1.1 of the My SMTP Contact Plugin for GetSimple CMS. This vulnerability allows attackers to manipulate SMTP configuration settings within the plugin if an authenticated administrator visits a malicious webpage. While it doesn't directly lead to remote code execution, it can enable unauthorized changes to email server settings.
The primary impact of this CSRF vulnerability lies in the potential for unauthorized modification of SMTP configuration settings. An attacker could leverage this to redirect email traffic, potentially leading to phishing campaigns or denial-of-service scenarios by disrupting legitimate email delivery. While direct remote code execution is not possible, the ability to control email routing can be exploited for various malicious purposes, including data exfiltration or impersonation. The blast radius extends to any users who rely on the GetSimple CMS site for email communication.
This vulnerability was publicly disclosed on 2026-01-21. No public proof-of-concept (PoC) code has been identified at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is considered low due to the lack of readily available exploits and the requirement for an authenticated administrator to be targeted.
Exploit Status
EPSS
0.07% (22% percentile)
CISA SSVC
The most effective mitigation is to upgrade to a patched version of the My SMTP Contact Plugin as soon as it becomes available. Until a patch is released, implement strict input validation on all parameters related to SMTP configuration. Consider adding CSRF tokens to all relevant forms and actions within the plugin to prevent unauthorized requests. Web application firewalls (WAFs) can be configured to detect and block suspicious requests exhibiting CSRF patterns. Regularly review SMTP configuration settings for any unexpected changes.
Update the My SMTP Contact plugin to the latest available version to mitigate the CSRF vulnerability. Verify that plugin configurations are protected against unauthorized modifications. Implement additional security measures, such as input validation and general CSRF protection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2021-47830 is a cross-site request forgery (CSRF) vulnerability in My SMTP Contact Plugin versions 1.1.1–1.1.1 for GetSimple CMS, allowing attackers to modify SMTP settings.
You are affected if you are using My SMTP Contact Plugin versions 1.1.1–1.1.1 in your GetSimple CMS installation.
Upgrade to a patched version of the plugin as soon as it's available. Implement input validation and CSRF tokens as interim mitigation.
There is no confirmed active exploitation of CVE-2021-47830 at this time, but the potential for exploitation remains.
Refer to the GetSimple CMS website and security advisories for updates and official information regarding CVE-2021-47830.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.