Platform
php
Component
native-php-cms
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in native-php-cms versions 1.0. This flaw resides within the /fladmin/jump.php file and allows attackers to inject malicious scripts through manipulation of the 'message/error' argument. The vulnerability is remotely exploitable and has been publicly disclosed. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-0483 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session on a system running native-php-cms. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data such as cookies and login credentials. The impact is amplified if the CMS is used to manage sensitive information or handle financial transactions. The remote nature of the vulnerability means an attacker does not need local access to the system to exploit it.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No known active campaigns targeting CVE-2025-0483 have been reported as of the publication date. The CVSS score of 3.5 (LOW) indicates a relatively low probability of exploitation, but the public disclosure necessitates prompt remediation. The vulnerability was published on 2025-01-15.
Exploit Status
EPSS
0.36% (58% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0483 is to immediately upgrade native-php-cms to version 1.0.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the 'message/error' parameter in /fladmin/jump.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads targeting this specific file and parameter can provide an additional layer of defense. Review access logs for suspicious activity related to /fladmin/jump.php.
Update to a patched version or apply a fix to prevent code injection (XSS) in the message/error parameter of the jump.php file. Escaping or validating user input is crucial to prevent this type of vulnerability. If no patch is available, consider disabling or removing the affected component.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0483 is a cross-site scripting vulnerability in native-php-cms version 1.0 affecting the /fladmin/jump.php file. Attackers can inject malicious scripts via the 'message/error' parameter.
Yes, if you are running native-php-cms version 1.0, you are vulnerable. Upgrade to version 1.0.1 or later to mitigate the risk.
Upgrade native-php-cms to version 1.0.1 or later. As a temporary workaround, implement input validation and output encoding on the 'message/error' parameter.
While no active campaigns have been confirmed, the vulnerability has been publicly disclosed, increasing the risk of exploitation. Prompt remediation is recommended.
Refer to the native-php-cms project's official website or repository for the latest security advisories and updates related to CVE-2025-0483.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.