CVE-2025-64047 in RapidCMS
Summary
by MITRE • 11/24/2025
OpenRapid RapidCMS 1.3.1 is vulnerable to Cross Site Scripting (XSS) in /user/user-move.php.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/25/2025
The vulnerability identified as CVE-2025-64047 affects OpenRapid RapidCMS version 1.3.1 and represents a critical cross site scripting flaw located within the /user/user-move.php script. This vulnerability arises from insufficient input validation and output encoding mechanisms that fail to properly sanitize user-supplied data before processing and rendering within the web application interface. The affected component specifically handles user movement operations and demonstrates a classic XSS vector where malicious payloads can be injected through improperly validated parameters.
This vulnerability falls under CWE-79 which categorizes cross site scripting flaws as weaknesses in input validation and output encoding. The flaw exists in the application's failure to implement proper sanitization controls for user-provided content, allowing attackers to inject malicious scripts that execute in the context of other users' browsers. The attack surface is particularly concerning given that the vulnerable script handles user movement operations, suggesting that legitimate users may inadvertently trigger the execution of malicious payloads when interacting with the application's user management functionality.
The operational impact of this vulnerability extends beyond simple data theft or session hijacking. An attacker could leverage this XSS flaw to execute arbitrary JavaScript code within the victim's browser context, potentially leading to complete session compromise, data exfiltration, or redirection to malicious sites. The vulnerability's location within the user management component also presents opportunities for privilege escalation attacks if the application's access controls are insufficient. Additionally, the XSS payload could be crafted to target administrative users, potentially enabling attackers to gain elevated privileges and control over the entire CMS instance.
Mitigation strategies for this vulnerability should prioritize immediate implementation of proper input validation and output encoding controls. The application must sanitize all user-supplied data through comprehensive validation mechanisms that strip or encode potentially dangerous characters before processing. Implementing Content Security Policy headers can provide additional defense in depth against XSS attacks by restricting script execution sources. The fix should also include proper parameter validation within the /user/user-move.php script to ensure that all inputs are properly escaped before being rendered in the user interface. Security patches should be applied immediately to prevent exploitation, and regular security testing should be conducted to identify similar vulnerabilities throughout the application codebase. Organizations should also consider implementing web application firewalls and monitoring systems to detect and prevent exploitation attempts targeting this specific vulnerability.