CVE-2025-9981 in QuickCMS
Summary
by MITRE • 10/23/2025
QuickCMS is vulnerable to multiple Stored XSS in slider editor functionality (sliders-form). Malicious attacker with admin privileges can inject arbitrary HTML and JS into website, which will be rendered/executed on every page. By default admin user is not able to add JavaScript into the website.
The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/18/2025
QuickCMS presents a critical security vulnerability classified as CVE-2025-9981, which manifests as multiple stored cross-site scripting flaws within its slider editor functionality known as sliders-form. This vulnerability represents a significant threat to web application security and falls under the CWE-79 category of Cross-Site Scripting, specifically targeting stored XSS conditions where malicious code persists in the application's database and executes whenever affected pages are loaded. The flaw is particularly dangerous because it operates within the administrative interface where privileged users can manipulate content, making it a prime target for attackers seeking persistent code execution on victim websites. The vulnerability's severity is amplified by the fact that it allows attackers with administrative privileges to inject arbitrary HTML and JavaScript code that gets rendered and executed on every page of the website, effectively creating a persistent backdoor for malicious activities.
The technical implementation of this vulnerability stems from inadequate input validation and output encoding within the slider editor component. When administrators interact with the sliders-form functionality, the application fails to properly sanitize user inputs before storing them in the database. This omission creates an environment where malicious payloads can be stored and subsequently retrieved without proper sanitization, allowing attackers to execute scripts in the context of other users' browsers. The attack vector is particularly insidious because it leverages legitimate administrative privileges, making the exploitation appear as normal administrative activity rather than malicious behavior. The vulnerability's persistence is ensured by the stored nature of the XSS payload, which means that even after the initial injection, the malicious code continues to execute whenever the affected pages are accessed, creating a continuous threat vector.
The operational impact of CVE-2025-9981 extends far beyond simple script execution, as it provides attackers with the capability to perform a wide range of malicious activities including session hijacking, credential theft, data exfiltration, and complete compromise of the affected website. The persistent nature of stored XSS allows attackers to maintain access even after the initial compromise, as the malicious code executes automatically whenever users visit pages containing the compromised slider content. This vulnerability aligns with several tactics described in the MITRE ATT&CK framework, particularly those related to initial access through compromised credentials, execution via malicious code injection, and privilege escalation within the application. The default security configuration that prevents non-administrative users from injecting JavaScript actually makes this vulnerability more dangerous, as it indicates that the application's security model is fundamentally flawed in its approach to user privilege management and input validation.
Organizations using QuickCMS versions should immediately implement mitigations including comprehensive input validation, output encoding, and strict content sanitization within the slider editor functionality. The most effective immediate remediation involves implementing proper HTML entity encoding for all user-supplied content before storage and ensuring that the application enforces strict sanitization of all inputs through robust validation mechanisms. Additionally, implementing Content Security Policy headers can provide an additional layer of protection by restricting the sources from which scripts can be loaded and executed. Security monitoring should be enhanced to detect unusual administrative activities and potential XSS injection attempts, while regular security audits should be conducted to identify similar vulnerabilities within other components of the CMS. The lack of vendor response regarding specific vulnerable versions underscores the importance of proactive security measures and the need for organizations to maintain their own vulnerability assessment capabilities rather than relying solely on vendor disclosures. Given the potential for this vulnerability to enable complete website compromise, organizations should also consider implementing network-based intrusion detection systems and regular security scanning to identify and remediate similar issues across their entire web infrastructure.