CVE-2025-9980 in QuickCMS
Summary
by MITRE • 10/23/2025
QuickCMS is vulnerable to multiple Stored XSS in page editor functionality (pages-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed when visiting edited page. By default admin user is not able to add JavaScript into the website.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/18/2025
CVE-2025-9980 represents a critical stored cross-site scripting vulnerability within QuickCMS's page editor functionality, specifically affecting the pages-form component. This vulnerability stems from inadequate input validation and output encoding mechanisms that fail to properly sanitize user-supplied content before rendering it within web pages. The flaw exists in the content management system's administrative interface where editors can create and modify webpage content, creating a persistent vector for malicious code injection that can affect all users who access the compromised pages.
The technical implementation of this vulnerability allows an attacker with administrative privileges to inject arbitrary HTML and JavaScript code directly into the CMS's page editing interface. When the modified content is subsequently rendered to end users, the injected malicious scripts execute within their browser context, potentially leading to session hijacking, credential theft, or redirection to malicious sites. This stored XSS vulnerability operates through the standard CMS editing workflow where administrators can add content to pages, with the malicious payload persisting in the database until manually removed or patched. The vulnerability's classification aligns with CWE-79 which specifically addresses Cross-Site Scripting flaws in web applications.
The operational impact of this vulnerability is severe given that it requires only administrative access to exploit, which typically provides attackers with extensive privileges within the CMS environment. Once compromised, the malicious code can be used to manipulate website content, steal sensitive information from authenticated users, or establish persistent backdoors within the application. The default security configuration of QuickCMS prevents regular users from injecting JavaScript, but this protection mechanism fails when an attacker gains administrative privileges, rendering the application's security model ineffective. This scenario creates a dangerous attack surface where a single compromised administrative account can lead to widespread compromise of the entire website.
Organizations affected by this vulnerability should immediately implement multiple layers of mitigation strategies. The primary remediation involves applying the vendor's security patch or upgrading to a non-vulnerable version of QuickCMS, though the lack of detailed vulnerability information from the vendor complicates this process. Network-based mitigations such as web application firewalls should be deployed to filter malicious payloads, while input validation should be strengthened at the application level to prevent any HTML or JavaScript from being stored without proper sanitization. Additionally, implementing content security policies and regular security audits of administrative accounts can help detect and prevent unauthorized access that could lead to exploitation of this vulnerability. The ATT&CK framework categorizes this as a privilege escalation and persistence technique, where an attacker leverages administrative access to establish long-term control over the compromised system. Given that the vulnerability affects the core content management functionality, organizations should also consider conducting thorough security assessments of all administrative interfaces and implementing principle of least privilege access controls to minimize potential damage from similar vulnerabilities.