CVE-2025-63522

Vulnerability

Overview

FeehiCMS version 2.1.1 contains a Reverse Tabnabbing vulnerability in its Comments Management function [2][3]. The root cause is that external links rendered in comments with target="_blank" are not enforced with rel="noopener noreferrer" security attributes [3]. This allows the linked page to gain access to the original tab's window.opener object and manipulate it [3].

Exploitation

To exploit this vulnerability, an attacker must have a valid backend user account [3][4]. The attacker logs in and navigates to the Comments Management function, then updates or creates a comment that includes a malicious external link [3][4]. When an administrator or other backend user clicks that link, the attacker-controlled page can rewrite the original FeehiCMS admin tab, for example replacing it with a phishing site that mimics the legitimate login page [3]. The attack is triggered via a simple POST request to the comment update endpoint [3][4].

Impact

Successful exploitation leads to Reverse Tabnabbing, a phishing technique where an attacker can replace the content of the original tab with a malicious page [3]. If the victim authenticates on this fake page, their credentials or other sensitive data are sent to the attacker's phishing site [3]. The vector is made more dangerous because the victim was initially on the legitimate FeehiCMS admin page, so they are less likely to notice the swap [3].

Mitigation

As of the publication date, no patch has been released for this vulnerability in the public repository [1]. The developer should add rel="noopener noreferrer" to all external links that use target="_blank", especially in user-controllable content areas like comments [3]. Administrators using FeehiCMS 2.1.1 should be cautious when clicking external links in comments until a fix is applied.