CVE-2023-36217

CRITICAL

Xoops CMS 2.5.10 - Stored Cross-Site Scripting via Image Manager Category Name Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-36217. PoCs published by tmrswrr.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Xoops CMS 2.5.10, where an authenticated attacker can inject malicious JavaScript via the Image Manager's 'Add Category' feature. The payload executes when hovering over the injected category name in the multiupload interface.

Description

Cross Site Scripting vulnerability in Xoops CMS v.2.5.10 allows a remote attacker to execute arbitrary code via the category name field of the image manager function.

Exploits (1)

exploitdb WORKING POC

by tmrswrr · textwebappsphp

https://www.exploit-db.com/exploits/51520

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in Xoops CMS 2.5.10, where an authenticated attacker can inject malicious JavaScript via the Image Manager's 'Add Category' feature. The payload executes when hovering over the injected category name in the multiupload interface.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Xoops CMS 2.5.10

Auth required

Prerequisites: Authenticated access to the Xoops CMS admin panel

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Release Notes

https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10

Exploit, Third Party Advisory, VDB Entry

https://www.exploit-db.com/exploits/51520

Scores

CVSS v3 9.0

EPSS 0.0138

EPSS Percentile 68.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-79

Status published

Products (1)

xoops/xoops 2.5.10

Published Aug 03, 2023

Tracked Since Feb 18, 2026