CVE-2025-55287

MEDIUM

kreaweb genealogy < 4.4.0 - Authenticated Stored Cross-Site Scripting

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-55287. PoCs published by Eternalvalhalla.

AI-analyzed exploit summary This PoC demonstrates an authenticated stored XSS vulnerability in a Genealogy app (versions prior to 4.4.0) where an attacker with Editor+ privileges can inject malicious JavaScript into a person's firstname/lastname field. When a higher-privileged user deletes the person, the script executes, sending a CSRF token and snapshot data to add the attacker as an Administrator via a Livewire component update.

Description

Genealogy is a family tree PHP application. Prior to 4.4.0, Authenticated Stored Cross-Site Scripting (XSS) vulnerability was identified in the Genealogy application. Authenticated attackers could run arbitrary JavaScript in another user’s session, leading to session hijacking, data theft, and UI manipulation. This vulnerability is fixed in 4.4.0.

Exploits (1)

nomisec WORKING POC 1 stars

by Eternalvalhalla · poc

https://github.com/Eternalvalhalla/CVE-2025-55287-POC

View Code ZIP pw:eip

This PoC demonstrates an authenticated stored XSS vulnerability in a Genealogy app (versions prior to 4.4.0) where an attacker with Editor+ privileges can inject malicious JavaScript into a person's firstname/lastname field. When a higher-privileged user deletes the person, the script executes, sending a CSRF token and snapshot data to add the attacker as an Administrator via a Livewire component update.

Classification

Working Poc 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Genealogy app < 4.4.0

Auth required

Prerequisites: Authenticated access with Editor+ role · Ability to create a new person in the app · Victim with higher privileges must delete the malicious person entry

MITRE ATT&CK

T1189 - Drive-by Compromise T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Mitigation, Third Party Advisory x_refsource_confirm

https://github.com/MGeurts/genealogy/security/advisories/GHSA-j457-9m86-6q5r

Patch x_refsource_misc

https://github.com/MGeurts/genealogy/commit/1683b3cbea5e52c99291fa231b7bc8c33f33c33f

View Patch ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0030

EPSS Percentile 21.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

kreaweb/genealogy < 4.4.0

Published Aug 18, 2025

Tracked Since Feb 18, 2026