CVE-2025-0871

A stored cross-site scripting (XSS) vulnerability exists in Maybecms 1.2, specifically in the Add Article functionality at /mb/admin/index.php?u=article-edit. The data_info[content] parameter is not properly sanitized, allowing malicious HTML/JavaScript to be stored in the article body. The backend fails to filter or escape HTML tags, enabling attackers to inject dangerous attributes such as ` and onerror` [1].

An attacker can exploit this vulnerability by sending a crafted POST request to the article edit endpoint with malicious payload in the data_info[content] field. When an administrator views the saved article via the 'View' button, the injected script executes in their browser. The attack is remote and does not require authentication beyond admin access? Actually, the vulnerability is in the admin backend, so the attacker needs to be an authenticated administrator? The reference describes it as a backend stored XSS, implying the attacker must have admin privileges to add articles? However, the CVE description says 'The exploit has been disclosed to the public and may be used.' It does not specify authentication requirements, but typically article addition requires admin login. Therefore, the attack vector is likely limited to authenticated users with article editing permissions [1].

Successful exploitation allows an attacker to steal sensitive information such as session cookies, login credentials, or personal data. Additionally, the attacker can redirect users to phishing pages, deliver malware, or perform other malicious actions in the context of the victim's browser session. Since the script executes when the article is viewed, any admin accessing the stored article is affected [1].

As of the publication date, no official patch has been released. Users are advised to manually sanitize user input in the affected field or apply input validation. The vendor may need to address this issue in a future update. The vulnerability has been publicly disclosed, increasing the risk of exploitation [1].