CVE-2023-53932

MEDIUM

Serendipity 2.4.0 - Authenticated Stored Cross-Site Scripting via Blog Entry Creation

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53932. PoCs published by Mirabbas Ağalarov.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Serendipity 2.4.0 by injecting a malicious payload into a new entry, which executes when the entry is viewed. The payload is URL-encoded and embedded in the 'body' parameter of a POST request.

Description

Serendipity 2.4.0 contains a stored cross-site scripting vulnerability that allows authenticated users to inject malicious scripts through blog entry creation. Attackers can craft entries with JavaScript payloads that will execute when other users view the compromised blog post.

Exploits (1)

exploitdb WORKING POC
by Mirabbas Ağalarov · textwebappsphp
https://www.exploit-db.com/exploits/51373

This exploit demonstrates a stored XSS vulnerability in Serendipity 2.4.0 by injecting a malicious payload into a new entry, which executes when the entry is viewed. The payload is URL-encoded and embedded in the 'body' parameter of a POST request.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Serendipity 2.4.0
Auth required
Prerequisites: Valid credentials to create a new entry in Serendipity
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/51373
Product product
https://docs.s9y.org/

Scores

CVSS v3 5.4
EPSS 0.0021
EPSS Percentile 10.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
s9y/serendipity 2.4.0
s9y/Serendipity 2.4.0
Published Dec 17, 2025
Tracked Since Feb 18, 2026