ZZCMS
CVE-2025-14837
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in ZZCMS 2025. Affected by this issue is the function stripfxg of the file /admin/siteconfig.php of the component Backend Website Settings Module. Such manipulation of the argument icp leads to code injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Code injection in ZZCMS 2025 Backend Website Settings Module allows authenticated remote attackers to inject arbitrary code via the icp parameter in the stripfxg function (/admin/siteconfig.php), with limited confidentiality impact. Public exploit code is available, but exploitation requires high-privilege administrative access, significantly limiting practical attack surface despite network-accessible vector.
Technical ContextAI
ZZCMS is a PHP-based content management system. The vulnerability exists in the stripfxg function within the Backend Website Settings Module, specifically in /admin/siteconfig.php. The root cause is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component, also known as 'Injection'), indicating insufficient input validation or sanitization of the icp parameter before it is processed. The parameter is passed to a backend function without proper escaping or type-checking, allowing an attacker with administrative credentials to inject malicious PHP or other code that gets executed server-side.
RemediationAI
No vendor-released patch version is confirmed at time of analysis. Immediate remediation requires restricting administrative access to /admin/siteconfig.php to trusted IP ranges or requiring additional authentication factors (e.g., IP whitelisting, multi-factor authentication for admin accounts). Apply strict input validation to the icp parameter in the stripfxg function by implementing whitelist-based filtering or parameterized queries to reject special characters and code syntax. Disable the Backend Website Settings Module entirely if not actively used. Monitor /admin/siteconfig.php access logs for suspicious parameter values or administrative login anomalies. Contact ZZCMS vendor or community repositories for patched version availability or security advisories. Consider moving to actively maintained CMS alternatives if ZZCMS development is dormant.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today