CVE-2023-53904

MEDIUM

Xenforo 2.2.13 - Authenticated Stored Cross-Site Scripting via Smilie Category Title Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53904. PoCs published by Furkan Karaarslan.

AI-analyzed exploit summary This exploit demonstrates an authenticated stored XSS vulnerability in Xenforo 2.2.12 by injecting malicious JavaScript via the smilie category title field. The payload triggers an alert with the document domain upon creation.

Description

Xenforo 2.2.13 contains a stored cross-site scripting vulnerability that allows authenticated administrators to inject malicious scripts through the smilie category title parameter. Attackers can create a smilie category with a malicious script that will execute when the admin panel is loaded, potentially enabling further client-side attacks.

Exploits (1)

exploitdb WORKING POC
by Furkan Karaarslan · textwebappsphp
https://www.exploit-db.com/exploits/51547

This exploit demonstrates an authenticated stored XSS vulnerability in Xenforo 2.2.12 by injecting malicious JavaScript via the smilie category title field. The payload triggers an alert with the document domain upon creation.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Xenforo 2.2.12
Auth required
Prerequisites: Authenticated access to the Xenforo admin panel · CSRF token
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/51547
Various Sources product
https://xenforo.com/

Scores

CVSS v3 4.6
EPSS 0.0022
EPSS Percentile 12.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
Xenforo/Xenforo 2.2.13
Published Dec 17, 2025
Tracked Since Feb 18, 2026