CVE-2018-11564
Description
Stored XSS in YOOtheme Pagekit 1.0.13 and earlier allows a user to upload malicious code via the picture upload feature. A user with elevated privileges could upload a photo to the system in an SVG format. This file will be uploaded to the system and it will not be stripped or filtered. The user can create a link on the website pointing to "/storage/poc.svg" that will point to http://localhost/pagekit/storage/poc.svg. When a user comes along to click that link, it will trigger a XSS attack.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Pagekit CMS <=1.0.13 allows privileged users to upload malicious SVG files, leading to script execution when a victim clicks a link.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in YOOtheme Pagekit CMS versions 1.0.13 and earlier [2][4]. The picture upload feature does not sanitize SVG files, allowing a user with elevated privileges to upload a malicious SVG as a photo. The file is stored at /storage/poc.svg without filtering or stripping of embedded scripts [2][4].
Exploitation
An attacker with elevated privileges (e.g., a content editor) can craft an SVG file containing JavaScript payload and upload it via the picture upload interface [2]. After upload, the file is accessible via a URL such as http://localhost/pagekit/storage/poc.svg. The attacker then creates a link on the site pointing to that SVG. When another user clicks that link, the SVG renders and the embedded script executes in the context of the victim's browser [4].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the browser of any user who clicks the malicious link. This can lead to session hijacking, defacement, or theft of sensitive information within the CMS context. The attack requires victim interaction (clicking a link).
Mitigation
As of the available references, no patch has been released; the vulnerability exists in all versions up to 1.0.13 [2]. Users should upgrade to a version newer than 1.0.13 if available. As a workaround, administrators can restrict SVG uploads by modifying server configurations or implementing input validation to strip script content from uploaded SVG files. The Pagekit project on GitHub [3] should be monitored for future fixes.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- ghsa-coords
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- www.exploit-db.com/exploits/44837/mitreexploitx_refsource_EXPLOIT-DB
- github.com/advisories/GHSA-3rwj-v7jp-w542ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-11564ghsaADVISORY
- ruffsecurity.blogspot.com/2018/05/my-first-cve-found.htmlghsax_refsource_MISCWEB
- packetstormsecurity.com/files/148001/PageKit-CMS-1.0.13-Cross-Site-Scripting.htmlghsax_refsource_MISCWEB
- www.exploit-db.com/exploits/44837ghsaWEB
News mentions
0No linked articles in our index yet.