CVE-2023-53928

MEDIUM

PHPFusion 9.10.30 - XSS

Title source: llm

Description

PHPFusion 9.10.30 contains a stored cross-site scripting vulnerability in the file manager that allows attackers to upload malicious SVG files with embedded JavaScript. Attackers can upload SVG files with script tags that execute arbitrary JavaScript when viewed, potentially stealing user session information or performing client-side attacks.

Exploits (1)

exploitdb WORKING POC

by Mirabbas Ağalarov · textwebappsphp

https://www.exploit-db.com/exploits/51411

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/51411

[Product] https://www.phpfusion.com/index.php

[Third Party Advisory] https://www.vulncheck.com/advisories/phpfusion-stored-cross-site-scripting-via-file-manager-upload

Scores

CVSS v3 5.4

EPSS 0.0005

EPSS Percentile 16.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

php-fusion/phpfusion 9.10.30

Php-fusion/PHPFusion 9.10.30

Published Dec 17, 2025

Tracked Since Feb 18, 2026