CVE-2026-38931
Description
A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A stored XSS vulnerability in simplephp's /admin/config-module.php allows attackers to execute arbitrary JavaScript by injecting malicious code into the Custom Head Tracking Code field.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in the /admin/config-module.php component of simplephp at GitHub commit 5184cff (Latest as of 2026-02-27). The flaw is due to insufficient input sanitization, allowing an attacker with administrative access to inject arbitrary JavaScript via the Custom Head Tracking Code field [2].
Exploitation
An attacker must first log in to the admin panel (default credentials admin/admin123) and activate the Analytics Tracker module under the Modules section [2]. Next, the attacker navigates to the Module Config page and inserts a crafted payload (e.g., `) into the Custom Head Tracking Code` field and saves it [2]. Any user visiting the website homepage will then trigger the stored XSS [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to theft of cookies and sensitive information, or even hijacking of administrator accounts [2]. The scope of compromise is limited to the browser session of users who view the affected page.
Mitigation
As of the publication date, no official fix has been released for commit 5184cff. Administrators should restrict admin panel access to trusted users and consider implementing input sanitization for the Custom Head Tracking Code field. Reviewing and applying security patches when available is recommended. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: = 5184cff
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Lack of output encoding/sanitization in the "Custom Head Tracking Code" field of /admin/config-module.php allows stored XSS."
Attack vector
An attacker must first log into the administrator backend (default credentials admin/admin123). They then install and activate the "Analytics Tracker" module under the "Modules" section [ref_id=1]. After activation, the attacker navigates to "Module Config", pastes a JavaScript payload (e.g. `<script>alert(666666)</script>`) into the "Custom Head Tracking Code" field, and saves [ref_id=1]. The payload is stored on the server and executed in the browsers of any user who visits the website homepage, because the tracking code is rendered without sanitization [ref_id=1].
Affected code
The vulnerability resides in `/admin/config-module.php` of the simplephp application at commit 5184cff [ref_id=1]. The "Custom Head Tracking Code" field within the "Analytics Tracker" module's configuration page lacks proper output encoding, allowing stored scripts to execute when the homepage renders the tracking code [ref_id=1].
What the fix does
The advisory does not provide a patch or diff [ref_id=1]. To remediate, the application must properly encode or sanitize user-supplied input before storing and rendering it in the "Custom Head Tracking Code" field. Output encoding (e.g. HTML entity encoding) or a strict allowlist of safe characters should be applied, and the tracking code field should not be rendered as raw HTML/JavaScript without escaping [ref_id=1].
Preconditions
- authAttacker must have valid administrator credentials to access the admin backend
- configThe 'Analytics Tracker' module must be installed and activated
- networkThe attacker must have network access to the /admin/config-module.php endpoint
- inputThe payload is submitted via the 'Custom Head Tracking Code' input field
Reproduction
1. Log into the administrator backend (default credentials: admin/admin123). 2. Under "Modules", install and activate the "Analytics Tracker" component. 3. Navigate to "Module Config", paste `<script>alert(666666)</script>` into the "Custom Head Tracking Code" field, and click "Save". 4. Visit the website homepage — an alert box displaying "666666" will pop up, confirming the XSS [ref_id=1].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.