CVE-2025-14006 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2025-14006?

CVE-2025-14006 has a CVSS score of 3.5 (LOW). This is a cross-site scripting (XSS) vulnerability in XunRuiCMS up to version 4.7.1 that allows attackers to inject malicious scripts via the data[name] parameter on the Add Data Validation Page. The vulnerability can be exploited remotely without authentication, potentially affecting any XunRuiCMS installation with the vulnerable component exposed. Attackers could steal session cookies, redirect users, or perform actions on behalf of authenticated users.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in XunRuiCMS up to version 4.7.1 that allows attackers to inject malicious scripts via the data[name] parameter on the Add Data Validation Page. The vulnerability can be exploited remotely without authentication, potentially affecting any XunRuiCMS installation with the vulnerable component exposed. Attackers could steal session cookies, redirect users, or perform actions on behalf of authenticated users.

💻 Affected Systems

Products:

dayrui XunRuiCMS

Versions: up to 4.7.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the /admind45f74adbd95.php file with specific parameters. Any installation with this component accessible is vulnerable.

📦 What is this software?

Xunruicms by Xunruicms

View all CVEs affecting Xunruicms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain administrative access to the CMS, deface websites, or install backdoors for persistent access.

🟠

Likely Case

Attackers inject malicious JavaScript to steal user session cookies or credentials, potentially compromising user accounts and data.

🟢

If Mitigated

With proper input validation and output encoding, the XSS payload would be neutralized, preventing script execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The exploit has been publicly disclosed and requires minimal technical skill to execute. Attackers can craft malicious URLs containing XSS payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch is available as the vendor has not responded. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and sanitization of the data[name] parameter to strip or encode HTML/JavaScript content.

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block requests containing XSS payloads targeting the vulnerable endpoint.

🧯 If You Can't Patch

Restrict access to the /admind45f74adbd95.php endpoint using network ACLs or authentication.
Implement Content Security Policy (CSP) headers to mitigate the impact of successful XSS attacks.

🔍 How to Verify

Check if Vulnerable:

Test by accessing the vulnerable URL with a simple XSS payload: /admind45f74adbd95.php?c=field&m=add&rname=site&rid=1&page=1&data[name]=<script>alert('XSS')</script>

Check Version:

Check the CMS version in the admin panel or configuration files.

Verify Fix Applied:

After implementing fixes, retest with the same payload to ensure script execution is prevented.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /admind45f74adbd95.php with suspicious parameters containing script tags or JavaScript code

Network Indicators:

Unusual traffic patterns to the vulnerable endpoint, especially with encoded payloads

SIEM Query:

source="web_logs" AND uri="/admind45f74adbd95.php" AND (param="data[name]" CONTAINS "<script>" OR param="data[name]" CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-14006

CVSS v3 Score: 3.5 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (10.4th percentile)

Published: December 4, 2025

Last Updated: December 5, 2025

🔗 References

https://github.com/24-2021/vul/blob/main/xunruicms-Data%20Validation-XSS/xunruicms-Data%20Validation-XSS.md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.334248 Permissions Required,VDB Entry
https://vuldb.com/?id.334248 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.692910 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14006, you might also want to check these: