Platform
php
Component
native-php-cms
Fixed in
1.0.1
A problematic cross-site scripting (XSS) vulnerability has been identified in native-php-cms version 1.0. This flaw allows attackers to inject malicious scripts through manipulation of the 'info' argument within the /fladmin/sysconfig_doedit.php file. Affected users should upgrade to version 1.0.1 to address this security concern. The vulnerability has been publicly disclosed.
Successful exploitation of CVE-2025-0485 allows an attacker to inject arbitrary JavaScript code into the native-php-cms application. This can lead to various malicious outcomes, including session hijacking, defacement of the website, redirection to phishing sites, and theft of sensitive user data. The attacker can execute code in the context of the user's browser, potentially gaining access to their credentials or other private information. Given the nature of XSS, the impact can range from minor annoyance to significant data compromise, depending on the attacker's goals and the sensitivity of the data handled by the application.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. There is currently no indication of active campaigns targeting this specific vulnerability, but the availability of public information makes it a potential target for opportunistic attackers. Severity is assessed as LOW due to the potential for limited impact and the requirement for user interaction. No KEV listing is present at this time.
Exploit Status
EPSS
0.22% (45% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-0485 is to upgrade native-php-cms to version 1.0.1, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing input validation and output encoding on the 'info' parameter in /fladmin/sysconfigdoedit.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload through the /fladmin/sysconfigdoedit.php interface and verifying that it is properly sanitized.
Update to a patched version or apply the necessary security measures to prevent malicious code injection through the 'info' parameter in the file '/fladmin/sysconfig_doedit.php'. Validating and sanitizing user input is crucial. If a patched version is not available, consider disabling or removing the affected functionality until a solution can be applied.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-0485 is a cross-site scripting (XSS) vulnerability in native-php-cms version 1.0, allowing attackers to inject malicious scripts.
You are affected if you are using native-php-cms version 1.0 and have not upgraded to version 1.0.1.
Upgrade native-php-cms to version 1.0.1. As a temporary workaround, implement input validation and output encoding on the 'info' parameter.
While there's no confirmed active exploitation, the public disclosure increases the risk of future attacks.
Refer to the native-php-cms project's official website or repository for the latest security advisories.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.