cbcvebase.
CVE-2025-52367
published 2025-09-22

CVE-2025-52367: Cross Site Scripting vulnerability in PivotX CMS v.3.0.0 RC 3 allows a remote attacker to execute arbitrary code via the subtitle field.

PriorityP335medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EXPLOIT
EPSS
4.25%
89.8th percentile
Cross Site Scripting vulnerability in PivotX CMS v.3.0.0 RC 3 allows a remote attacker to execute arbitrary code via the subtitle field.

Affected

1 ranges
VendorProductVersion rangeFixed in
pivotxpivotx

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://IP/PivotX/pivotx/index.php?page=page
urlhttp://IP/PivotX/pivotx/index.php?page=homeexplore
urlhttp://IP/PivotX/index.php
pathmodules/pages_flat.php
pathpivotx/index.php
  • Monitor HTTP requests containing XSS payloads in the 'subtitle' or 'title' POST parameters targeting PivotX page creation endpoints (index.php?page=page).
  • Alert on access to the PivotX file editor endpoint (index.php?page=homeexplore), especially from sessions that recently received stolen admin cookies, as this is the pivot point from XSS to RCE.
  • Detect cookie-stealing XSS exfiltration pattern: outbound GET requests to attacker-controlled hosts with a query parameter named 'c' containing session cookie values (e.g., /bruh?c=<cookie>).
  • Detect writes to the PivotX index.php file via the admin file editor, which is the final RCE step; monitor file modification events on the webroot index.php.
  • The exploit chain requires only a normal (non-admin) authenticated user to initiate; alert on page creation requests from low-privilege accounts containing HTML/script tags in title or subtitle fields.
  • The vulnerable code path is savePage() in modules/pages_flat.php using saveSerialize() with no sanitization; consider file integrity monitoring on this module file.
  • ·Only the 'body' and 'introduction' fields pass through TinyMCE HTML encoding; 'title' and 'subtitle' are rendered as raw HTML with no sanitization, making them the sole injectable attack surface.
  • ·The Metasploit module targets the admin file-edit feature to overwrite index.php; this RCE step requires valid admin credentials (obtained via the XSS cookie-theft step).
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.