CVE-2025-67165
📋 TL;DR
An Insecure Direct Object Reference (IDOR) vulnerability in Pagekit CMS v1.0.18 allows attackers to manipulate object references (like user IDs) to escalate privileges. This affects all Pagekit CMS installations running the vulnerable version, potentially enabling attackers to gain administrative access.
💻 Affected Systems
- Pagekit CMS
📦 What is this software?
Pagekit by Pagekit
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the CMS, allowing them to modify content, install malicious plugins, access sensitive data, and potentially compromise the underlying server.
Likely Case
Attackers escalate privileges to administrator level, enabling content manipulation, user account takeover, and installation of backdoors.
If Mitigated
With proper access controls and input validation, the impact is limited to unauthorized access only to resources the attacker already has some permissions for.
🎯 Exploit Status
Exploitation requires at least low-privilege user access. The vulnerability is in the user management interface where object references can be manipulated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: Not available
Restart Required: No
Instructions:
1. Check for official patch from Pagekit CMS developers
2. If patch available, download and apply according to vendor instructions
3. Verify the fix by testing privilege escalation attempts
🔧 Temporary Workarounds
Implement Access Control Validation
allAdd server-side validation to ensure users can only access objects they're authorized for
Modify user management PHP files to include proper authorization checks before processing object references
Restrict User Management Interface
allLimit access to user management functionality to trusted IP addresses only
Add IP-based restrictions in .htaccess or web server configuration for /admin/user paths
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to detect and block IDOR patterns
- Enable detailed logging of all user management actions and monitor for suspicious privilege changes
🔍 How to Verify
Check if Vulnerable:
Check if running Pagekit CMS v1.0.18 by examining the version in admin panel or checking composer.jsonCheck Version:
Check admin panel or examine composer.json for version informationVerify Fix Applied:
Test privilege escalation attempts using known vulnerable endpoints with proper authorization📡 Detection & Monitoring
Log Indicators:
- Multiple failed privilege escalation attempts
- Unauthorized access to user management endpoints
- Sudden privilege changes for user accounts
Network Indicators:
- Unusual patterns of requests to user management API endpoints
- Requests manipulating user ID parameters
SIEM Query:
source="web_logs" AND (uri_path="/admin/user*" OR uri_path="/api/user*") AND (status_code=200 OR status_code=403) AND user_agent NOT IN ("trusted_bots")🔗 References
- https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67165
- https://github.com/pagekit/docs/blob/develop/user-interface/users.md#permissions
- https://github.com/pagekit/docs/blob/develop/user-interface/users.md#roles
- https://github.com/pagekit/pagekit
- https://github.com/mbiesiad/vulnerability-research/tree/main/CVE-2025-67165
