CMS Made Simple version 2.2.5 allows an authenticated administrator to upload a file and rename it to have a .php extension. The file can then be executed by opening the URL of the file in the /uploads/ directory.
665002696e6aa2586a51b8816a8a1e2a503f1bc489989a9294e0d3632c5224f2
CMS Made Simple version 2.2.5 suffers from a remote code execution vulnerability.
2eda133a9630043692f259669d24c38f1bd3467fc0120bc869ace374cf33b47d