Listen to this Post
How the vulnerability works:
The flaw resides in Kirby’s `Xml::value()` method, which handles XML special characters and CDATA blocks. Normally, if input is already a valid CDATA section (e.g., <![CDATA
]></code>), the method passes it through unescaped to avoid double‑encoding. However, the validation logic was insufficient: it only checked that the input contained a valid CDATA block, not that the entire string consisted only of CDATA. An attacker could supply a value like `]]><script>alert(1)</script><![CDATA[` – this contains a balanced CDATA block (<code><![CDATA[</code> … <code>]]></code>) but also arbitrary structured data outside that block. Because the method saw the embedded CDATA, it skipped escaping and allowed the surrounding malicious XML tags to pass through unescaped. As a result, any XML generated by `Xml::value()` (and consequently by <code>Xml::tag()</code>, <code>Xml::create()</code>, or the `Xml` data handler in <code>Data::encode()</code>) could be injected with attacker‑controlled elements or attributes. The Kirby core does not use these methods, so only sites or plugins that manually generate XML from user input are affected. If that XML is later parsed by another system (e.g., a REST API, a SOAP service, or a CI/CD pipeline) that assigns meaning to specific tags, this injection can alter that system’s behaviour – leading to SSRF, data exfiltration, or workflow tampering. The patch (released in Kirby 4.9.0 and 5.4.0) adds a strict check: CDATA passthrough is only allowed if the entire string consists of one or more complete CDATA blocks with no other characters outside them.
<h2 style="color: blue;">dailycve form:</h2>
Platform: Kirby CMS
Version: <4.9.0,<5.4.0
Vulnerability: XML CDATA injection
Severity: Medium
date: 2025-04-23
<h2 style="color: blue;">Prediction: Patched Apr2025</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
[bash]
Check Kirby version in a project
composer show getkirby/cms | grep versions
Find vulnerable method usage in custom code
grep -r "Xml::value|Xml::tag|Xml::create|Data::encode.'xml'" site/ plugins/
Example vulnerable code (before patch)
$user_input = $_GET['xml_data'];
$xml = Xml::tag('root', [], Xml::value($user_input));
echo $xml;
Attacker payload: ]]> <evil/> <![CDATA[
Exploit:
Send input: `]]>delete_all <![CDATA[</h2>
If the XML is later fed to an internal admin API that interprets, the attacker can trigger unintended actions.
<h2 style="color: blue;">Protection from this CVE</h2>
Update to Kirby 4.9.0, 5.4.0, or later. If unable to upgrade, wrap user input in a custom validator that rejects any string containing `Xml::value()`.
Impact:
Remote injection of arbitrary XML tags/attributes, potentially leading to server‑side request forgery (SSRF), data corruption, or execution of privileged workflows in downstream XML consumers.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:
If the XML is later fed to an internal admin API that interprets
, the attacker can trigger unintended actions.
<h2 style="color: blue;">Protection from this CVE</h2>
Update to Kirby 4.9.0, 5.4.0, or later. If unable to upgrade, wrap user input in a custom validator that rejects any string containing `Xml::value()`.
Impact:
Remote injection of arbitrary XML tags/attributes, potentially leading to server‑side request forgery (SSRF), data corruption, or execution of privileged workflows in downstream XML consumers.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow DailyCVE & Stay Tuned:

