CVE-2020-8825

MEDIUM

Vanilla 2.6.3 - Stored Cross-Site Scripting via Branding Settings Page

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2020-8825. PoCs published by Sayak Naskar, hacky1997.

AI-analyzed exploit summary The provided text describes a stored XSS vulnerability in Vanilla Forums 2.6.3, where an attacker can inject a malicious payload into the branding section. This payload executes when users access the branding settings, potentially leaking sensitive information.

Description

index.php?p=/dashboard/settings/branding in Vanilla 2.6.3 allows stored XSS.

Exploits (2)

exploitdb WRITEUP
by Sayak Naskar · textwebappsphp
https://www.exploit-db.com/exploits/48042

The provided text describes a stored XSS vulnerability in Vanilla Forums 2.6.3, where an attacker can inject a malicious payload into the branding section. This payload executes when users access the branding settings, potentially leaking sensitive information.

Classification
Writeup 80%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Vanilla Forums 2.6.3
Auth required
Prerequisites: Access to the branding settings section · Valid user credentials
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WRITEUP 3 stars
by hacky1997 · poc
https://github.com/hacky1997/CVE-2020-8825

The repository provides a detailed description of a stored XSS vulnerability in VanillaForum's branding settings page due to insufficient input sanitization. It includes technical details such as the affected URL and version but lacks actual exploit code.

Classification
Writeup 80%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PHP VanillaForum 2.6.3
Auth required
Prerequisites: Access to the vulnerable URL (index.php?p=/dashboard/settings/branding) · User interaction to trigger the payload
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/hacky1997/CVE-2020-8825
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/156281/Vanilla-Forum-2.6.3-Cross-Site-Scripting.html

Scores

CVSS v3 5.4
EPSS 0.0187
EPSS Percentile 76.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
vanillaforums/vanilla 2.6.3
Published Feb 10, 2020
Tracked Since Feb 18, 2026