CVE-2025-14519 – This CVE describes a stored cross-site scriptin... (How to Fix)

Q: What is the severity of CVE-2025-14519?

CVE-2025-14519 has a CVSS score of 3.5 (LOW). This CVE describes a stored cross-site scripting (XSS) vulnerability in the baowzh hfly travel website CMS. Attackers can inject malicious scripts into the advtext module's add functionality, which are then executed when other users view the affected content. The vulnerability affects all versions up to commit 638ff9abe9078bc977c132b37acbe1900b63491c and can be exploited remotely.

📋 TL;DR

This CVE describes a stored cross-site scripting (XSS) vulnerability in the baowzh hfly travel website CMS. Attackers can inject malicious scripts into the advtext module's add functionality, which are then executed when other users view the affected content. The vulnerability affects all versions up to commit 638ff9abe9078bc977c132b37acbe1900b63491c and can be exploited remotely.

💻 Affected Systems

Products:

baowzh hfly travel website CMS

Versions: All versions up to commit 638ff9abe9078bc977c132b37acbe1900b63491c

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the advtext module specifically at /admin/index.php/advtext/add. The product uses rolling releases, making exact version tracking difficult.

📦 What is this software?

Hfly by Baowzh

View all CVEs affecting Hfly →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, perform actions as authenticated users, deface websites, or redirect users to malicious sites, potentially leading to complete account takeover and data theft.

🟠

Likely Case

Attackers inject malicious JavaScript that steals user session cookies or credentials when legitimate users visit the compromised advtext pages, leading to account compromise.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub. Attack requires access to the advtext add functionality, which typically requires admin privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and output encoding as workarounds, or replace the software entirely.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to sanitize all user inputs in the advtext module, particularly for the add functionality.

Modify /admin/index.php/advtext/add to include: htmlspecialchars($_POST['input_field'], ENT_QUOTES, 'UTF-8');

Content Security Policy

all

Implement a strict Content Security Policy header to prevent execution of inline scripts.

Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to PHP: header("Content-Security-Policy: default-src 'self'; script-src 'self'");

🧯 If You Can't Patch

Restrict access to /admin/index.php/advtext/add to only trusted IP addresses using web server configuration.
Disable the advtext module entirely if not required for business operations.

🔍 How to Verify

Check if Vulnerable:

Test by attempting to inject a simple XSS payload like <script>alert('XSS')</script> into the advtext add form and check if it executes when viewing the content.

Check Version:

Check the git commit hash: git log --oneline -1

Verify Fix Applied:

After implementing workarounds, test the same XSS payload to ensure it's properly sanitized and doesn't execute.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /admin/index.php/advtext/add containing script tags or JavaScript code
Multiple failed login attempts followed by successful access to admin pages

Network Indicators:

HTTP requests containing malicious script payloads in POST parameters
Outbound connections to suspicious domains from the web server

SIEM Query:

source="web_logs" AND (url="/admin/index.php/advtext/add" AND (body="<script>" OR body="javascript:"))

📊 Metadata

CVE ID: CVE-2025-14519

CVSS v3 Score: 3.5 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (8.6th percentile)

Published: December 11, 2025

Last Updated: January 6, 2026

🔗 References

https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/PHP-based%20travel%20website-CMS/PHP-based%20travel%20website-CMS%20advtext%20add%20Stored%20Cross-Site%20Scripting(XSS).md Exploit,Third Party Advisory
https://vuldb.com/?ctiid.335857 Permissions Required,VDB Entry
https://vuldb.com/?id.335857 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.702943 Third Party Advisory,VDB Entry
https://github.com/Xor-Gerke/webray.com.cn/blob/main/cve/PHP-based%20travel%20website-CMS/PHP-based%20travel%20website-CMS%20advtext%20add%20Stored%20Cross-Site%20Scripting(XSS).md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14519, you might also want to check these: