CVE-2018-25331

MEDIUM

Zenar Content Management System Cross-Site Scripting via ajax.php

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25331. PoCs published by Berk Dusunur.

AI-analyzed exploit summary This is a functional proof-of-concept for a stored XSS vulnerability in Zenar CMS. The exploit demonstrates how an attacker can inject malicious JavaScript via the 'current_page' parameter in an AJAX request, which is then reflected in the response.

Description

Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Attackers can inject script tags through the current_page parameter sent to the ajax.php endpoint, which reflects unsanitized user input in the response HTML to execute arbitrary JavaScript in victim browsers.

Exploits (1)

exploitdb WORKING POC

by Berk Dusunur · textwebappsphp

https://www.exploit-db.com/exploits/44664

View Code ZIP pw:eip

This is a functional proof-of-concept for a stored XSS vulnerability in Zenar CMS. The exploit demonstrates how an attacker can inject malicious JavaScript via the 'current_page' parameter in an AJAX request, which is then reflected in the response.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Zenar Content Management System

No auth needed

Prerequisites: Access to the target's AJAX endpoint · Ability to send crafted HTTP requests

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 17, 2026 Full analysis →

References (4)

Core 4

Core References

Exploit exploit

ExploitDB-44664

https://www.exploit-db.com/exploits/44664

Product product

Official Product Homepage

http://demo.zenar.io

Product product

Product Reference

https://zenar.io/

Third Party Advisory third-party-advisory

VulnCheck Advisory: Zenar Content Management System Cross-Site Scripting via ajax.php

https://www.vulncheck.com/advisories/zenar-content-management-system-cross-site-scripting-via-ajax-php

Scores

CVSS v3 6.1

EPSS 0.0022

EPSS Percentile 11.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

zenar/Zenar Content Management System 7.0

Published May 17, 2026

Tracked Since May 17, 2026