An issue was discovered in CMS Made Simple version 2.2.8. In
the module DesignManager (in the files action.admin_bulk_css.php
and action.admin_bulk_template.php), with an unprivileged user with
Designer permission, it is possible to reach an unserialize call
with a crafted value in the m1_allparms parameter, and achieve
object injection. This Metasploit module has been successfully
tested on CMS Made Simple versions 2.2.6, 2.2.7, 2.2.8, 2.2.9 and
2.2.9.1.
Read more https://packetstormsecurity.com/files/155322/cmsms_object_injection_rce.rb.txt