Platform
php
Component
vul
Fixed in
4.7.1
4.7.2
CVE-2025-14005 describes a cross-site scripting (XSS) vulnerability discovered in XunRuiCMS versions 4.7.0 through 4.7.1. This flaw allows an attacker to inject malicious scripts into web pages viewed by other users, potentially leading to session hijacking or defacement. The vulnerability resides in the /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=0 endpoint. A public exploit is available, indicating an elevated risk.
Successful exploitation of CVE-2025-14005 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can be leveraged to steal session cookies, redirect users to malicious websites, or deface the website. The attacker could also use this vulnerability to launch phishing attacks, tricking users into revealing sensitive information. Given the public availability of an exploit, the potential for widespread exploitation is significant, particularly against systems running vulnerable versions of XunRuiCMS.
CVE-2025-14005 has been publicly disclosed and a proof-of-concept exploit is readily available, significantly increasing the likelihood of exploitation. The vulnerability is tracked by the NVD and CISA. The EPSS score is likely to be medium or high due to the public exploit and ease of exploitation. Active campaigns targeting XunRuiCMS are possible, given the vulnerability's accessibility.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-14005 is to upgrade XunRuiCMS to a version that addresses this vulnerability. Unfortunately, no fixed version is currently specified. As a temporary workaround, implement strict input validation and output encoding on the data[name] parameter within the /admind45f74adbd95.php endpoint. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide some protection. Regularly review and update your WAF rules to ensure they are effective against emerging threats. After applying any mitigation, thoroughly test the application to ensure functionality remains intact.
Update XunRuiCMS to a version later than 4.7.1, if one exists, that fixes the XSS vulnerability. If no patched version is available, it is recommended to apply a manual patch that filters or escapes the input of the 'data[name]' field in the /admind45f74adbd95.php file before displaying it in the user interface.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-14005 is a cross-site scripting (XSS) vulnerability affecting XunRuiCMS versions 4.7.0-4.7.1, allowing attackers to inject malicious scripts.
You are affected if you are running XunRuiCMS versions 4.7.0 or 4.7.1 and have not upgraded to a patched version.
Upgrade XunRuiCMS to a version that addresses the vulnerability. If upgrading is not immediately possible, implement input validation and output encoding as a temporary workaround.
Due to the public availability of an exploit, CVE-2025-14005 is likely being actively exploited or is at high risk of exploitation.
Check the XunRuiCMS website or security mailing lists for official advisories related to CVE-2025-14005.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.