CVE-2025-66686 in Perch
Summary
by MITRE • 01/07/2026
A stored Cross-Site Scripting (XSS) vulnerability exists in Perch CMS version 3.2. An authenticated attacker with administrative privileges can inject malicious JavaScript code into the “Help button url” setting within the admin panel. The injected payload is stored and executed when any authenticated user clicks the Help button, potentially leading to session hijacking, information disclosure, privilege escalation, and unauthorized administrative actions.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/07/2026
This vulnerability represents a critical stored cross-site scripting flaw in Perch CMS version 3.2 that fundamentally compromises the security of administrative interfaces. The issue manifests through the "Help button url" configuration setting which fails to properly sanitize user input, creating an attack vector where malicious JavaScript code can be persistently injected into the application's administrative backend. The vulnerability is particularly dangerous because it requires only administrative authentication to exploit, meaning that an attacker who has already gained administrative access can further escalate their privileges by injecting malicious payloads that will execute against all authenticated users who interact with the help functionality. This represents a classic stored XSS scenario where the malicious code is not reflected but rather stored in the application's database and subsequently served to users without proper sanitization or encoding. The CWE-79 classification applies directly to this vulnerability as it involves the improper handling of untrusted data within a web application's output, specifically in the context of web application security controls that should prevent script injection attacks.
The technical implementation of this vulnerability allows an attacker to execute arbitrary JavaScript code in the context of any authenticated user's browser session, creating a persistent threat that can be leveraged for session hijacking attacks. When an authenticated user clicks the Help button, the stored malicious payload executes within their browser, potentially capturing session cookies, redirecting to malicious sites, or performing unauthorized administrative actions on behalf of the victim. This attack vector is particularly insidious because it can be used to escalate privileges beyond the initial administrative access, as the injected code can manipulate the browser's interaction with the CMS interface. The vulnerability's impact extends beyond simple information disclosure to include full administrative control, as the malicious script can access all administrative functions available to the authenticated user. The ATT&CK framework categorizes this as a technique involving code injection and privilege escalation through session manipulation, with the specific TTPs related to web application attacks and credential access through browser-based exploitation.
The operational impact of this vulnerability creates significant risk for organizations relying on Perch CMS for content management, as it provides an attack path for adversaries to maintain persistent access to administrative interfaces. Organizations with multiple administrative users face compounded risk, as each user interaction with the help button presents an opportunity for the malicious payload to execute. The vulnerability essentially transforms the administrative interface into a weaponized attack surface where legitimate administrative functionality becomes a vector for malicious code execution. Security teams must consider that this vulnerability can be used to establish persistent backdoors within the CMS environment, as the injected JavaScript can be designed to maintain access even after the initial exploitation. The attack requires minimal sophistication and can be automated, making it particularly dangerous in environments where administrative users frequently interact with the help functionality. Organizations should implement immediate mitigations including input validation and output encoding of all administrative configuration fields, while also considering the broader security implications of stored XSS vulnerabilities in web applications. The vulnerability underscores the critical importance of validating and sanitizing all user-supplied input within administrative interfaces, particularly in content management systems where administrators have elevated privileges and can inadvertently create persistent attack vectors through seemingly innocuous configuration settings.