CVE-2025-14722
Unknown Unknown - Not Provided
Remote Cross-Site Scripting in vion707 DMadmin Backend Add Function

Publication date: 2025-12-15

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in vion707 DMadmin up to 3403cafdb42537a648c30bf8cbc8148ec60437d1. This impacts the function Add of the file Admin/Controller/AddonsController.class.php of the component Backend. Executing manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-15
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-15
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14722
EUVD
EUVD-2025-203423
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vion707 dmadmin *
thinkphp thinkphp 3.23
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-14722 is a stored Cross-Site Scripting (XSS) vulnerability in the vion707 DMadmin software, specifically in the Add function of the Backend's AddonsController.class.php file. It occurs because user input is not properly sanitized or escaped before being stored and later displayed in the backend interface. This allows an authenticated attacker to inject malicious scripts that execute when the stored data is viewed, potentially compromising the integrity of the application. The attack requires authentication and some user interaction, and a proof-of-concept exploit is publicly available. [2, 3]

Impact Analysis

This vulnerability can impact you by allowing an authenticated attacker to execute malicious scripts within the backend interface of the DMadmin software. This can compromise the integrity of the system by manipulating or hijacking user sessions, stealing sensitive information, or performing unauthorized actions within the application. Since the exploit is remotely executable and publicly disclosed, it poses a risk if the affected software is in use and not mitigated. [2, 3]

Detection Guidance

This vulnerability can be detected by searching for the vulnerable file path or by testing the Add function in the Admin/Controller/AddonsController.class.php for improper input sanitization leading to XSS. Google dorking can be used to identify exposed instances by searching for the vulnerable file path. Additionally, testing input fields in the backend for stored XSS payloads can help detect the issue. Specific commands are not provided, but using web vulnerability scanners targeting XSS or manual testing with XSS payloads in the affected parameters is suggested. [2, 3]

Mitigation Strategies

Immediate mitigation steps include replacing or updating the affected component or product since no known mitigations or countermeasures have been published. Avoid using the vulnerable version of vion707 DMadmin and restrict access to the backend interface to trusted users only. Implement input validation and output encoding as a general best practice to reduce XSS risks until a patch or update is available. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart