CMS Platform v5 Stored XSS to Remote Code Execution Vulnerability
漏洞信息
漏洞名称: CMS Platform v5 Stored XSS to Remote Code Execution Vulnerability
漏洞编号:
- CVE: CVE-2025-50754
漏洞类型: 跨站可执行脚本
漏洞等级: 高危
漏洞描述: ### 受影响产品
CMS Platform v5 是一个基于PHP的内容管理系统,广泛用于构建和管理网站。它提供了用户报告功能,允许用户提交报告供管理员查看。由于其广泛的应用和功能,该系统的安全性对许多网站至关重要。
漏洞解释
该漏洞是一个存储型跨站脚本(XSS)漏洞,存在于CMS Platform v5的“报告”功能中。攻击者可以通过提交包含恶意JavaScript的报告,当管理员在后台查看这些内容时,脚本将在管理员的浏览器中执行。这允许攻击者窃取管理员会话,并利用内置的模板编辑器上传PHP web shell,从而实现服务器上的远程代码执行(RCE)。
影响分析
此漏洞的安全风险极高,攻击者可以通过窃取管理员会话完全控制网站,执行任意命令,泄露或修改数据,并通过上传的后门实现持久化。由于攻击者可以利用管理员的权限,无需额外认证即可实现远程代码执行,这使得漏洞的利用自动化程度高,对网站的安全性构成严重威胁。
产品名称: CMS Platform
影响版本: v5
来源: https://github.com/furk4nyildiz/CVE-2025-50754-PoC
类型: CVE-2025:github search
仓库文件
- README.md
来源概述
[CVE-2025-50754] Stored XSS to Remote Code Execution in a PHP-Based CMS Platform
Summary
A PHP-based CMS platform (version 5) contains a stored Cross-Site Scripting (XSS) vulnerability in the “Report” feature. When an administrator views a user-submitted report, malicious JavaScript is executed within the admin panel context. This enables attackers to hijack the admin session and leverage the built-in template editor to upload a PHP web shell, resulting in full remote code execution (RCE) on the server.
Technical Details
- Vulnerability Type: Stored Cross-Site Scripting (XSS)
- Affected Product: CMS Platform v5
- Attack Type: Remote
- Impact:
- Remote Code Execution (RCE): Yes
- Information Disclosure: Yes
Attack Vector (Abstract Description)
An attacker submits a malicious JavaScript payload through the public-facing “Report” form. When a logged-in administrator views this content in the backend, the script executes in the administrator’s browser, exfiltrating session cookies.
After capturing the session, the attacker gains access to the administrative interface, particularly the template editor. Using this feature, the attacker injects PHP code into a .tpl file to establish a persistent web shell and execute arbitrary commands on the server.
Note: To prevent abuse, no specific payloads or code snippets are included. Organizations are strongly encouraged to implement input validation, session hardening, and access controls on admin features.
Exploitation Steps (High-Level)
- The attacker submits a specially crafted report containing a malicious script.
- The administrator opens the report via the admin dashboard.
- The script runs, and the admin session cookie is captured.
- Using the session, the attacker logs into the admin panel.
- The attacker injects PHP into a template file via the template editor.
- Remote code execution is achieved through the uploaded shell.
Impact
- Full administrative takeover
- Execution of arbitrary commands on the server
- Data leakage or modification
- Potential persistence via uploaded backdoors
Discoverers
- Furkan Mehmet Yıldız
- Emrullah Baha Yılmaz
CVE Information
- CVE ID: CVE-2025-50754
- Status: RESERVED (public advisory pending)
Proof of Concept (PoC)
Successful exploitation was confirmed by uploading a custom web shell (s.php) via the template editor and executing OS-level commands. The following sanitized image shows the output of the id; ls -la command executed through the web shell:
This demonstrates that the attacker was able to execute commands and access filesystem contents under the privileges of the web server user.
1 | |
References
- CVE Record: https://cve.org/CVERecord?id=CVE-2025-50754
Temporary Mitigations
No official patch is available from the vendor as of publication. To reduce risk:
- Sanitize and escape all user input rendered in the admin panel.
- Avoid rendering untrusted HTML or JavaScript.
- Enforce a strict Content Security Policy (CSP).
- Limit access to sensitive features like the template editor.
Reported by Furkan Mehmet Yıldız & Emrullah Baha Yılmaz