The PivotX 3.0.0 RC3 content management system (CMS) suffers from a critical remote code execution (RCE) vulnerability (CVE-2025-52367) that arises from a stored cross-site scripting (XSS) flaw in the 'title' and 'subtitle' fields during page creation. The vulnerability stems from improper input sanitization: user-supplied data in these fields is serialized and stored directly to disk without any escaping or filtering in the 'savePage($page)' function within 'modules/pages_flat.php'. When these fields are later rendered in the admin panel, they are output as raw HTML, enabling malicious JavaScript execution in the context of an administrator's browser. Notably, only the 'body' and 'introduction' fields are sanitized via TinyMCE, leaving 'title' and 'subtitle' vulnerable. Exploitation requires an authenticated non-admin user to create a page with a malicious payload in the 'subtitle' field that loads an external JavaScript file designed to steal admin cookies. When an administrator views the page, the XSS payload executes, allowing the attacker to hijack the admin session by capturing cookies. With admin privileges, the attacker can then access the CMS's file editor interface to modify PHP files, injecting arbitrary code such as a reverse shell. This chain of attack effectively escalates privileges from a normal user to full remote code execution on the server hosting PivotX. The exploit was tested on Debian 11 with PHP 7.4, demonstrating practical feasibility. The vulnerability is critical due to the combination of stored XSS leading to privilege escalation and full RCE, enabling attackers to completely compromise the affected system. No official patch links are provided yet, and no widespread exploitation has been reported, but the exploit code is publicly available.

For European organizations using PivotX 3.0.0 RC3, this vulnerability poses a severe risk. Successful exploitation can lead to full system compromise, including unauthorized access to sensitive data, defacement of websites, deployment of malware, and lateral movement within internal networks. Given that the attack requires only an authenticated user account (which may be easier to obtain in some environments), the risk of insider threats or compromised user credentials is significant. The ability to execute arbitrary PHP code on the server can disrupt business operations, cause data breaches, and damage organizational reputation. Additionally, since PivotX is a web-based CMS, the vulnerability could be exploited remotely over the internet, increasing the attack surface. European organizations subject to strict data protection regulations such as GDPR could face legal and financial consequences if personal data is exposed due to this flaw.

1. Immediate mitigation should include restricting user permissions to prevent untrusted users from creating or editing pages until a patch is available. 2. Implement strict input validation and sanitization on all user-supplied fields, especially 'title' and 'subtitle', to neutralize HTML and JavaScript content before storage. 3. Apply output encoding/escaping when rendering user content in the admin panel to prevent execution of injected scripts. 4. Monitor web server and application logs for suspicious activity, including unusual page creations or edits. 5. Use web application firewalls (WAFs) with custom rules to detect and block attempts to inject script tags or load external JavaScript files. 6. Limit access to the CMS admin panel by IP whitelisting or VPN to reduce exposure. 7. Regularly audit user accounts and revoke unnecessary privileges. 8. Once available, promptly apply official patches or upgrade to a fixed version of PivotX. 9. Consider deploying Content Security Policy (CSP) headers to restrict loading of external scripts. 10. Educate administrators to avoid clicking on suspicious pages or links within the CMS.