CVE-2023-53887

MEDIUM

Zomplog 3.9 - Authenticated Stored Cross-Site Scripting via Page Creation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53887. PoCs published by Mirabbas Ağalarov.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Zomplog 3.9 by injecting malicious JavaScript via the 'title' parameter in a POST request to create a new page. The payload executes when the page is accessed, triggering the XSS.

Description

Zomplog 3.9 contains a cross-site scripting vulnerability that allows authenticated users to inject malicious scripts when creating new pages. Attackers can craft malicious image source and onerror attributes to execute arbitrary JavaScript code in victim's browser.

Exploits (1)

exploitdb WORKING POC
by Mirabbas Ağalarov · textwebappsphp
https://www.exploit-db.com/exploits/51625

This exploit demonstrates a stored XSS vulnerability in Zomplog 3.9 by injecting malicious JavaScript via the 'title' parameter in a POST request to create a new page. The payload executes when the page is accessed, triggering the XSS.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Zomplog v3.9
Auth required
Prerequisites: Valid user credentials · Access to the page creation functionality
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/51625

Scores

CVSS v3 5.4
EPSS 0.0021
EPSS Percentile 10.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
zomp/zomplog 3.9
Zomplog/Zomplog 3.9
Published Dec 15, 2025
Tracked Since Feb 18, 2026