Platform
php
Component
xunruicms
Fixed in
4.6.1
4.6.2
4.6.3
4.6.4
CVE-2025-2131 is a cross-site scripting (XSS) vulnerability affecting XunRuiCMS versions 4.6.0 through 4.6.3. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user sessions and stealing sensitive data. The vulnerability resides within the Friendly Links Handler component and can be triggered by manipulating the Website Address parameter. A patch is available in version 4.6.4.
Successful exploitation of CVE-2025-2131 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to session hijacking, defacement of the website, redirection to malicious sites, and theft of sensitive information such as login credentials or personal data. The impact is amplified if the XunRuiCMS site is used to manage sensitive data or handle financial transactions. While the CVSS score is LOW, the ease of exploitation and potential for user compromise make this a significant risk, particularly for sites with a large user base or high-value data.
This vulnerability has been publicly disclosed, increasing the likelihood of exploitation. No known active campaigns targeting this specific CVE have been reported as of the publication date. There are no known public proof-of-concept exploits readily available, but the ease of exploitation suggests that such exploits may emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.08% (25% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-2131 is to upgrade XunRuiCMS to version 4.6.4 or later, which contains the fix. If upgrading immediately is not possible, consider implementing input validation and sanitization on the Website Address parameter within the Friendly Links Handler. Web Application Firewalls (WAFs) can be configured to detect and block malicious requests containing suspicious JavaScript code. Regularly review and update XunRuiCMS plugins and extensions to ensure they are not introducing new vulnerabilities. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple XSS payload into the Website Address field and verifying that the script is not executed.
Update XunRuiCMS to a version later than 4.6.3 to fix the XSS vulnerability. If updating is not possible, carefully review and filter user inputs in the Friendly Links Handler component, especially the Website Address field, to prevent the injection of malicious code. Consider temporarily disabling the Friendly Links functionality until a solution can be applied.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-2131 is a cross-site scripting (XSS) vulnerability affecting XunRuiCMS versions 4.6.0–4.6.3, allowing attackers to inject malicious scripts.
You are affected if you are using XunRuiCMS versions 4.6.0 through 4.6.3. Upgrade to 4.6.4 or later to mitigate the risk.
Upgrade XunRuiCMS to version 4.6.4 or later. Implement input validation and consider using a WAF as temporary mitigation.
While no active campaigns are confirmed, the vulnerability is publicly disclosed, increasing the risk of exploitation.
Refer to the XunRuiCMS official website or security advisories for the latest information and updates regarding CVE-2025-2131.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.