Cross Site Scripting vulnerability in CmSimple v.5.15 allows a remote malicious user to execute arbitrary code via the functions.php component.