CMSimple 5.4 is vulnerable to Local file inclusion (LFI) to Remote code execution (RCE) when an authenticated user is present. An attacker can exploit this vulnerability by changing the functions_file parameter to php://input and sending a malicious payload to the server. This will allow the attacker to execute arbitrary code on the server.