CVE-2017-9425

MEDIUM

Facetag 0.0.3 - Stored Cross-Site Scripting via Name Parameter in facetag.changeTag Action

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-9425. PoCs published by Touhid M.Shaikh.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in the Piwigo Facetag plugin (version 0.0.3) by injecting malicious JavaScript via the 'name' parameter in a POST request, which is then stored in the server's database and executed when the photo is viewed.

Description

The Facetag extension 0.0.3 for Piwigo allows XSS via the name parameter to ws.php in a facetag.changeTag action.

Exploits (1)

exploitdb WORKING POC

by Touhid M.Shaikh · textwebappsphp

https://www.exploit-db.com/exploits/42098

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in the Piwigo Facetag plugin (version 0.0.3) by injecting malicious JavaScript via the 'name' parameter in a POST request, which is then stored in the server's database and executed when the photo is viewed.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Piwigo Facetag plugin 0.0.3

No auth needed

Prerequisites: Access to the Piwigo instance with the vulnerable Facetag plugin installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Third Party Advisory x_refsource_misc

http://touhidshaikh.com/blog/poc/facetag-ext-piwigo-stored-xss/

Exploit, Third Party Advisory x_refsource_misc

https://www.youtube.com/watch?v=_ha7XBT_Omo

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/42098/

Scores

CVSS v3 6.1

EPSS 0.0143

EPSS Percentile 69.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

facetag_project/facetag 0.0.3

Published Feb 26, 2018

Tracked Since Feb 18, 2026