CVE-2025-61183

MEDIUM

vaahcms 2.3.1 - Cross-Site Scripting via UserBase.php storeAvatar() Upload Method

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-61183. PoCs published by XiaomingX, thawphone.

AI-analyzed exploit summary The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction capabilities for admin credentials and password hashes.

Description

Cross Site Scripting in vaahcms v.2.3.1 allows a remote attacker to execute arbitrary code via upload method in the storeAvatar() method of UserBase.php

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2025/CVE-2025-61183

View Code ZIP pw:eip

The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The exploit includes data extraction capabilities for admin credentials and password hashes.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WRITEUP

by thawphone · poc

https://github.com/thawphone/CVE-2025-61183

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2025-61183, a stored XSS vulnerability in VaahCMS 2.3.1 due to unsafe SVG file handling. The writeup includes the root cause, exploitation flow, and mitigation steps, but lacks functional exploit code.

Classification

Writeup 95%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: VaahCMS 2.3.1

Auth required

Prerequisites: low-level registered user account · ability to upload files

MITRE ATT&CK

T1059.007 - JavaScript T1189 - Drive-by Compromise

devstral-2 · analyzed May 07, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory

https://github.com/thawphone/CVE-2025-61183

View Exploit ZIP pw:eip

Exploit, Issue Tracking

https://github.com/webreinvent/vaahcms/issues/301

Scores

CVSS v3 6.1

EPSS 0.0010

EPSS Percentile 27.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (2)

webreinvent/vaahcms 2.3.1

webreinvent/vaahcms 0Packagist

Published Oct 08, 2025

Tracked Since Feb 18, 2026