CVE-2025-10434

Vulnerability

Overview

A stored cross-site scripting (XSS) vulnerability exists in IbuyuCMS versions up to 2.6.3. The flaw resides in the /admin/article.php?a=mod endpoint, specifically within the "Add Article" page's title input field. The application fails to sanitize or escape user-supplied HTML tags, allowing an attacker to inject malicious scripts such as ` tags or event handlers like onerror` [1].

Exploitation

Prerequisites

An attacker must have access to the administrative backend of the CMS. The attack is performed remotely by sending a crafted POST request to /admin/article.php?a=mod&id=10 with a malicious payload in the Title parameter. No authentication bypass is required; the attacker needs valid admin credentials or the ability to trick an authenticated admin into submitting the payload [1].

Impact

Successful exploitation enables an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of session cookies, login credentials, or other sensitive data. Additionally, the attacker may redirect users to phishing pages, deliver malware, or perform other malicious actions within the context of the affected application [1].

Mitigation

As of the publication date, no official patch has been released for IbuyuCMS 2.6.3. The vendor has not addressed the vulnerability. Users are advised to restrict access to the admin panel, implement input validation and output encoding for all user-supplied data, and consider upgrading to a supported fork or alternative CMS if available [1].