CVE-2023-53985

MEDIUM

Zippy CRM 6.5.4 - Reflected Cross-Site Scripting via Unvalidated Input Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-53985. PoCs published by nu11secur1ty.

AI-analyzed exploit summary The exploit demonstrates a reflected XSS vulnerability in Zstore 6.5.4 by injecting a malicious payload into the 'p' parameter of the 'index.php' endpoint. The payload executes arbitrary JavaScript when rendered in the victim's browser.

Description

Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context.

Exploits (1)

exploitdb WORKING POC
by nu11secur1ty · textwebappsphp
https://www.exploit-db.com/exploits/51207

The exploit demonstrates a reflected XSS vulnerability in Zstore 6.5.4 by injecting a malicious payload into the 'p' parameter of the 'index.php' endpoint. The payload executes arbitrary JavaScript when rendered in the victim's browser.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Zstore 6.5.4
No auth needed
Prerequisites: Victim must click a crafted URL or visit a malicious page
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5
Core References
Various Sources product
https://zippy.com.ua/
Exploit, Third Party Advisory exploit
https://www.exploit-db.com/exploits/51207
Various Sources product
https://github.com/leon-mbs/zstore

Scores

CVSS v3 6.1
EPSS 0.0024
EPSS Percentile 14.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (2)
zippy/zstore 6.5.4
Zippy/Zstore 6.5.4
Published Jan 13, 2026
Tracked Since Feb 18, 2026