Exploit Details
Basic Information
| Exploit Title | Anchor CMS 0.12.7 – Stored Cross Site Scripting (XSS) |
|---|---|
| Exploit ID | EDB-ID:52327 |
| Type | exploitdb |
| Published | 2025-06-15T00:00:00 |
| Modified | 2025-06-15T00:00:00 |
CVSS Information
| CVSS Score | 5.4 |
|---|---|
| Severity | MEDIUM |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
CVE Information
- CVE-2025-46041
Exploit Description
Exploit Title: Anchor CMS 0.12.7 – Stored Cross Site…
Exploit Code
# Exploit Title: Anchor CMS 0.12.7 – Stored Cross Site Scripting (XSS)
# Google Dork: inurl:”/admin/pages/add” “Anchor CMS”
# Date: 2025-06-08
# Exploit Author: /bin/neko
# Vendor Homepage: http://anchorcms.com
# Software Link: https://github.com/anchorcms/anchor-cms
# Version: 0.12.7
# Tested on: Ubuntu 22.04 + Apache2 + PHP 8.1
# CVE: CVE-2025-46041
# Google Dork: inurl:”/admin/pages/add” “Anchor CMS”
# Date: 2025-06-08
# Exploit Author: /bin/neko
# Vendor Homepage: http://anchorcms.com
# Software Link: https://github.com/anchorcms/anchor-cms
# Version: 0.12.7
# Tested on: Ubuntu 22.04 + Apache2 + PHP 8.1
# CVE: CVE-2025-46041
# Description:
Anchor CMS v0.12.7 suffers from a stored Cross-Site Scripting (XSS) vulnerability
in the `markdown` field of the /admin/pages/add page.
An authenticated user with page creation privileges can inject arbitrary JavaScript,
which is stored and executed when the page is viewed.
# Steps to Reproduce:
1. Login to /admin
2. Navigate to Pages > Add Page
3. In the `Markdown` field, insert:
4. Save the page.
5. View the created page. The script executes.
# Impact:
– Arbitrary JavaScript execution
– Potential session hijacking or admin impersonation