CVE-2025-15144
Unknown Unknown - Not Provided
Cross-Site Scripting in dayrui XunRuiCMS JSONP Handler

Publication date: 2025-12-28

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in dayrui XunRuiCMS up to 4.7.1. The impacted element is the function dr_show_error/dr_exit_msg of the file /dayrui/Fcms/Init.php of the component JSONP Callback Handler. This manipulation of the argument callback causes cross site scripting. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-28
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-28
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15144
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dayrui xunruicms *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in dayrui XunRuiCMS up to version 4.7.1, specifically in the JSONP Callback Handler component. It involves the functions dr_show_error and dr_exit_msg in the file /dayrui/Fcms/Init.php. The vulnerability is caused by improper handling of the 'callback' argument, which can be manipulated to perform a cross-site scripting (XSS) attack. This means an attacker can inject malicious scripts that execute in the context of the victim's browser. The attack can be initiated remotely, and a public exploit is available.

Detection Guidance

This vulnerability can be detected by identifying if your XunRuiCMS installation (version 4.7.1 or earlier) is vulnerable to reflected XSS via the JSONP callback parameter. One way to detect it is by sending crafted HTTP GET requests with a malicious callback parameter and observing if the response reflects the callback parameter without sanitization. For example, you can use curl to test the vulnerability: curl "http://[target]/index.php?s=api&c=api&m=test&callback=alert(document.cookie)//" and check if the response contains the unsanitized callback parameter executing JavaScript. Additionally, attackers may use Google dorking with the query inurl:dayrui/Fcms/Init.php to identify vulnerable targets. Monitoring HTTP responses for reflected callback parameters without sanitization can help detect exploitation attempts. [1, 3]

Mitigation Strategies

Immediate mitigation steps include implementing strict validation and sanitization of the 'callback' parameter to allow only safe JavaScript function names. For example, use a whitelist regex such as /^[a-zA-Z_][a-zA-Z0-9_]*$/ to sanitize the callback parameter before outputting it. If you cannot patch the code immediately, consider disabling or restricting access to the vulnerable endpoints to prevent exploitation. Ultimately, upgrading to a version of XunRuiCMS that fixes this issue or replacing the CMS with a secure alternative is recommended. Since the vendor has not responded, applying custom sanitization as shown in the recommended fix is critical. [2, 3]

Impact Analysis

This vulnerability can impact you by allowing an attacker to execute malicious scripts in the context of your users' browsers. This can lead to various issues such as session hijacking, defacement, or redirection to malicious sites. Since the attack is remotely exploitable and a public exploit exists, it increases the risk of exploitation. However, the vulnerability does not impact confidentiality or availability, but it does affect integrity to a limited extent.

Compliance Impact

The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows cross-site scripting (XSS) attacks that can lead to session hijacking, credential theft, and unauthorized access to user data, it could potentially result in violations of data protection requirements under such regulations if exploited. No direct statements about compliance impact or regulatory consequences are given. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15144. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart