CVE-2025-52710 in File Manager Pro Plugininfo

Summary

by MITRE • 06/20/2025

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Ninja Team File Manager Pro allows Stored XSS. This issue affects File Manager Pro: from n/a through 1.8.8.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/20/2025

The vulnerability identified as CVE-2025-52710 represents a critical cross-site scripting flaw within the Ninja Team File Manager Pro application, specifically categorized under CWE-79 which defines improper neutralization of input during web page generation. This vulnerability enables attackers to inject malicious scripts into web pages viewed by other users, creating a persistent threat that can compromise user sessions and data integrity. The flaw exists in the file manager's handling of user-supplied input during the generation of web pages, where insufficient sanitization or encoding mechanisms fail to properly neutralize potentially dangerous characters and script sequences.

The stored nature of this cross-site scripting vulnerability means that malicious payloads are permanently stored on the server and executed whenever affected pages are accessed by unsuspecting users. This characteristic significantly amplifies the impact compared to reflected XSS variants, as the malicious code persists and can affect multiple users over extended periods. Attackers can exploit this vulnerability by uploading or modifying files with malicious script content that gets rendered in the web interface, or by manipulating parameters that are stored and subsequently displayed in web pages without proper input validation. The affected version range spans from an unknown starting point through version 1.8.8, indicating that the vulnerability has existed for multiple releases and potentially affects a wide deployment base.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform session hijacking, steal sensitive user credentials, manipulate data, or redirect users to malicious websites. When combined with other attack vectors, this stored XSS vulnerability can facilitate more sophisticated attacks such as credential theft, privilege escalation, or data exfiltration from compromised user accounts. The vulnerability affects the core functionality of the file manager application, potentially compromising all users who interact with the system, making it a critical security concern for organizations relying on this tool for file management operations.

Mitigation strategies for CVE-2025-52710 should prioritize immediate patching of the affected application to the latest secure version, as this represents the most effective defense against the vulnerability. Organizations should implement comprehensive input validation and output encoding mechanisms to prevent malicious script injection, utilizing techniques such as HTML escaping and proper context-aware encoding for all user-supplied content. Network-based protections including web application firewalls and content security policies can provide additional layers of defense, while regular security audits and penetration testing should be conducted to identify similar vulnerabilities in the application's codebase. The vulnerability aligns with ATT&CK technique T1566.001 which covers the use of malicious file uploads as a method for executing code on target systems, emphasizing the importance of robust file validation and access controls in preventing exploitation of such vulnerabilities.

Responsible

Patchstack

Reservation

06/19/2025

Disclosure

06/20/2025

Moderation

accepted

CPE

ready

EPSS

0.00167

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!