Stored XSS in a CMS platform leads to remote code execution (CVE-2025-50754)# [CVE-2025-50754] Stored XSS to Remote Code Execution in a PHP-Based CMS Platform
## Summary
A PHP-based CMS platform (version 5) contains a stored Cross-Site Scripting (XSS) vulnerability in the "Report" feature. When an administrator views a user-submitted report, malicious JavaScript is executed within the admin panel context. This enables attackers to hijack the admin session and leverage the built-in template editor to upload a PHP web shell, resulting in full remote code execution (RCE) on the server.
## Technical Details
- **Vulnerability Type:** Stored Cross-Site Scripting (XSS)
- **Affected Product:** CMS Platform v5
- **Attack Type:** Remote
- **Impact:**
- Remote Code Execution (RCE): **Yes**
- Information Disclosure: **Yes**
### Attack Vector (Abstract Description)
An attacker submits a malicious JavaScript payload through the public-facing "Report" form. When a logged-in administrator views this content in the backend, the script executes in the administrator’s browser, exfiltrating session cookies.
After capturing the session, the attacker gains access to the administrative interface, particularly the template editor. Using this feature, the attacker injects PHP code into a `.tpl` file to establish a persistent web shell and execute arbitrary commands on the server.
> **Note:** To prevent abuse, no specific payloads or code snippets are included. Organizations are strongly encouraged to implement input validation, session hardening, and access controls on admin features.
## Exploitation Steps (High-Level)
1. The attacker submits a specially crafted report containing a malicious script.
2. The administrator opens the report via the admin dashboard.
3. The script runs, and the admin session cookie is captured.
4. Using the session, the attacker logs into the admin panel.
5. The attacker injects PHP into a template file via the template editor.
6. Remote code execution is achieved through the uploaded shell.
## Impact
- Full administrative takeover
- Execution of arbitrary commands on the server
- Data leakage or modification
- Potential persistence via uploaded backdoors
## Discoverers
- **Furkan Mehmet Yıldız**
- **Emrullah Baha Yılmaz**
## CVE Information
- **CVE ID:** CVE-2025-50754
- **Status:** RESERVED (public advisory pending)
## Proof of Concept (PoC)
Successful exploitation was confirmed by uploading a custom web shell (`s.php`) via the template editor and executing OS-level commands. The following sanitized image shows the output of the `id; ls -la` command executed through the web shell:
This demonstrates that the attacker was able to execute commands and access filesystem contents under the privileges of the web server user.
```
uid=1003(t******_usr) gid=1006(t******_usr) groups=1006(t******_usr),995(fastmail),1002(fastsecure)
...
-rw-r--r-- 1 t******_usr t******_usr 6481 Nov 27 2024 rss.php
-rw-r--r-- 1 t******_usr t******_usr 64 Jul 31 12:24 s.php
```
## References
- **CVE Record:** [https://cve.org/CVERecord?id=CVE-2025-50754](https://cve.org/CVERecord?id=CVE-2025-50754)
---
## Temporary Mitigations
No official patch is available from the vendor as of publication. To reduce risk:
- Sanitize and escape all user input rendered in the admin panel.
- Avoid rendering untrusted HTML or JavaScript.
- Enforce a strict Content Security Policy (CSP).
- Limit access to sensitive features like the template editor.
---
*Reported by Furkan Mehmet Yıldız & Emrullah Baha Yılmaz*
[4.0K] /data/pocs/c58a410f1881bb61ff31bb100cd7794059e4acfa
└── [3.5K] README.md
0 directories, 1 file