CVE-2025-64047
📋 TL;DR
OpenRapid RapidCMS 1.3.1 contains a cross-site scripting vulnerability in the /user/user-move.php endpoint that allows attackers to inject malicious scripts. This affects all users of RapidCMS 1.3.1 who have access to the vulnerable endpoint. Successful exploitation could lead to session hijacking, credential theft, or redirection to malicious sites.
💻 Affected Systems
- OpenRapid RapidCMS
📦 What is this software?
Rapidcms by Openrapid
⚠️ Risk & Real-World Impact
Worst Case
Attacker steals administrator session cookies, gains full control of the CMS, and deploys malware to all site visitors.
Likely Case
Attacker steals user session cookies to impersonate legitimate users, potentially accessing sensitive user data.
If Mitigated
Script execution is blocked by modern browser security features, limiting impact to basic defacement.
🎯 Exploit Status
Proof of concept available in the referenced GitHub gist. Requires authenticated access to the user management interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: http://rapidcms.com
Restart Required: No
Instructions:
1. Check vendor website for security updates. 2. If patch available, download and apply. 3. Validate fix by testing the vulnerable endpoint.
🔧 Temporary Workarounds
Input Validation Filter
allAdd server-side input validation to sanitize user input in /user/user-move.php
Modify user-move.php to include: htmlspecialchars($_POST['user_input'], ENT_QUOTES, 'UTF-8')
Content Security Policy
allImplement CSP headers to restrict script execution
Add to .htaccess: Header set Content-Security-Policy "default-src 'self'; script-src 'self'"
Or add to PHP: header("Content-Security-Policy: default-src 'self'; script-src 'self'")
🧯 If You Can't Patch
- Restrict access to /user/user-move.php endpoint using web server rules or firewall
- Implement web application firewall (WAF) rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Test /user/user-move.php endpoint with XSS payload: <script>alert('XSS')</script> and check if script executesCheck Version:
Check CMS admin panel or read version.txt file in installation directoryVerify Fix Applied:
Retest with same XSS payload after applying fixes - script should not execute📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /user/user-move.php containing script tags
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- HTTP requests containing <script> tags in parameters
- Outbound connections to suspicious domains after visiting user-move.php
SIEM Query:
source="web_logs" AND uri="/user/user-move.php" AND (param CONTAINS "<script>" OR param CONTAINS "javascript:")