CTCMS Content Management System
CVE-2025-14729
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was identified in CTCMS Content Management System up to 2.1.2. The affected element is the function Save of the file /ctcms/libs/Ct_App.php of the component Backend App Configuration Module. The manipulation of the argument CT_App_Paytype leads to code injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
AnalysisAI
Code injection in CTCMS up to version 2.1.2 allows high-privileged remote attackers to inject arbitrary code via the CT_App_Paytype parameter in the Backend App Configuration Module's Save function. The vulnerability has a low CVSS score (2.0) due to requiring high administrative privileges (PR:H), but publicly available exploit code exists. Real-world risk is limited to authenticated administrators with backend access.
Technical ContextAI
The vulnerability exists in the Save function of /ctcms/libs/Ct_App.php, a core component of CTCMS's Backend App Configuration Module. CWE-74 (Improper Neutralization of Special Elements in Output, also called Injection) indicates that user-supplied input from the CT_App_Paytype parameter is not properly sanitized before being processed or stored. The PHP-based application fails to validate or escape this parameter, allowing injection of arbitrary code. This is a server-side code injection flaw in the application's configuration handling logic where administrative input is trusted without validation.
RemediationAI
Upgrade CTCMS to a version released after 2.1.2 if available from the project repository. Since no explicit patched version is confirmed in the provided data, contact the CTCMS project maintainers via vuldb.com or the project's official channels to confirm availability of a security patch. As an immediate compensating control, restrict backend administrative access strictly to trusted users and disable or remove the Backend App Configuration Module if not required for operations. Additionally, implement input validation and output encoding for the CT_App_Paytype parameter by filtering special characters and using parameterized queries or prepared statements. Monitor administrative backend logs for suspicious parameter values or configuration changes. If the application permits configuration of this module, consider disabling it via configuration file or database settings pending patch availability.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today