CTCMS Content Management System
CVE-2025-14730
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security flaw has been discovered in CTCMS Content Management System up to 2.1.2. The impacted element is an unknown function in the library /ctcms/libs/Ct_Config.php of the component Backend System Configuration Module. The manipulation of the argument Cj_Add/Cj_Edit results in code injection. The attack can be executed remotely. The exploit has been released to the public and may be exploited.
AnalysisAI
Code injection in CTCMS up to version 2.1.2 allows high-privilege authenticated remote attackers to inject arbitrary code via manipulation of the Cj_Add or Cj_Edit arguments in the Backend System Configuration Module (/ctcms/libs/Ct_Config.php). Public exploit code is available, but exploitation requires administrative credentials and produces only low confidentiality impact without scope expansion. EPSS score of 0.07% indicates minimal real-world exploitation probability despite public POC availability.
Technical ContextAI
CTCMS is a PHP-based content management system. The vulnerability exists in the Ct_Config.php library file within the Backend System Configuration Module. The root cause is CWE-74 (Improper Neutralization of Special Elements in Output - a code injection vulnerability), where user-supplied input from the Cj_Add and Cj_Edit parameters is not properly sanitized before being used in code execution contexts. The affected component processes backend system configuration changes, a sensitive administrative function that typically requires high privilege levels. PHP code injection in configuration modules can lead to arbitrary code execution if the injected input reaches eval(), include(), or similar dangerous functions without proper filtering.
RemediationAI
Upgrade CTCMS to a version beyond 2.1.2 if available from the CTCMS project repository. If no patched version is currently released, immediately restrict administrative access to the Backend System Configuration Module by limiting the user accounts with high-privilege credentials to trusted personnel only, and implement strict access controls via network ACLs or Web Application Firewall (WAF) rules to block access to /ctcms/libs/Ct_Config.php from untrusted network segments. Additionally, implement input validation and output encoding on the Cj_Add and Cj_Edit parameters to strip or escape special characters that could be interpreted as code (such as PHP delimiters, semicolons, and function calls). Review backend system configuration change logs regularly to detect unauthorized modifications. Consult the vendor's advisory at https://vuldb.com/?id.336487 for patched version availability and timing.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today