### Key Information #### Vulnerability Overview - **Vulnerability Type**: Stored Cross-Site Scripting (XSS) - **Affected Product**: PHP-Based CMS Platform v5 - **Attack Type**: Remote - **Impact**: - Remote Code Execution (RCE): Yes - Information Disclosure: Yes #### Attack Vector - Attacker submits malicious JavaScript payload via a public "report" form. - When a logged-in administrator views this content in the backend, the script executes in the administrator’s browser, stealing session cookies. - Attacker exploits the template editor feature to inject PHP code into `.tpl` files, establishing a persistent web shell and executing arbitrary commands. #### Exploitation Steps (High-Level) 1. Submit a report containing malicious script. 2. Administrator opens the report via the admin dashboard. 3. Script executes and captures the administrator’s session cookie. 4. Attacker uses the stolen session to log into the admin panel. 5. Exploits the template editor to inject PHP code into template files. 6. Achieves remote code execution via the uploaded shell. #### Impact - Full administrative takeover - Execution of arbitrary commands on the server - Data leakage or modification - Potential persistence via uploaded backdoor #### Discoverers - Furkan Mehmet Yildiz - Emrullah Baha Yilmaz #### CVE Information - **CVE ID**: CVE-2025-50754 - **Status**: Reserved (Public advisory pending) #### Proof of Concept (PoC) - Successful exploitation via uploading a custom web shell (`.php`) through the template editor, and executing OS-level commands via the web shell. #### References - CVE Record: https://cve.org/CVERecord?id=CVE-2025-50754 #### Temporary Mitigation - Sanitize and escape all user input displayed in the admin panel. - Avoid rendering untrusted HTML or JavaScript. - Enforce a strict Content Security Policy (CSP). - Restrict access to sensitive features (e.g., template editor).