CVE-2012-0984

XOOPS < 2.5.5 - Cross-Site Scripting via Multiple Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2012-0984. PoCs published by High-Tech Bridge SA.

AI-analyzed exploit summary The exploit demonstrates multiple XSS vulnerabilities in XOOPS 2.5.4 by injecting malicious scripts via unsanitized POST parameters in various endpoints. Each PoC uses a form submission to trigger the XSS payload, confirming the vulnerability.

Description

Multiple cross-site scripting (XSS) vulnerabilities in XOOPS before 2.5.5 allow remote attackers to inject arbitrary web script or HTML via the (1) to_userid parameter to modules/pm/pmlite.php or the (2) current_file, (3) imgcat_id, or (4) target parameter to class/xoopseditor/tinymce/tinymce/jscripts/tiny_mce/plugins/xoopsimagemanager/xoopsimagebrowser.php.

Exploits (3)

exploitdb WORKING POC VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/18753

The exploit demonstrates multiple XSS vulnerabilities in XOOPS 2.5.4 by injecting malicious scripts via unsanitized POST parameters in various endpoints. Each PoC uses a form submission to trigger the XSS payload, confirming the vulnerability.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: XOOPS 2.5.4 and prior
No auth needed
Prerequisites: Access to the vulnerable XOOPS instance
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/37093

This exploit demonstrates multiple XSS vulnerabilities in XOOPS by injecting malicious scripts into form inputs. The PoC shows how unsanitized user input in parameters like 'current_file', 'imgcat_id', and 'target' can lead to arbitrary JavaScript execution.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: XOOPS 2.5.4
No auth needed
Prerequisites: Access to the vulnerable XOOPS instance
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by High-Tech Bridge SA · textwebappsphp
https://www.exploit-db.com/exploits/37092

This exploit demonstrates a stored XSS vulnerability in XOOPS 2.5.4 by injecting malicious JavaScript into the 'to_userid' parameter of the private messaging module. The PoC form submits a payload that executes arbitrary script code in the context of the affected site.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: XOOPS 2.5.4
No auth needed
Prerequisites: Access to the target's private messaging module
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (10)

Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/81212
Exploit exploit x_refsource_exploit-db
http://www.exploit-db.com/exploits/18753
Patch, Vendor Advisory x_refsource_confirm
http://xoops.org/modules/news/article.php?storyid=6284
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2012-04/0128.html
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/48887
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/75024
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/81213
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/53143

Scores

EPSS 0.0416
EPSS Percentile 89.6%

Details

CWE
CWE-79
Status published
Products (5)
xoops/xoops 2.5.0
xoops/xoops 2.5.1
xoops/xoops 2.5.2 (2 CPE variants)
xoops/xoops 2.5.3
xoops/xoops < 2.5.4
Published Sep 11, 2014
Tracked Since Feb 18, 2026