Concrete CMS 9.4.3 - Stored XSS

Author: Chokri Hammedi
type: webapps
platform: multiple
port: 
date_added: 2025-09-16  
date_updated: 2025-09-16  
verified: 0  
codes: CVE-2025-8573  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 52428.txt  

# Exploit Title:  Concrete CMS 9.4.3 - Stored XSS
# Date: 2/09/2025
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.concretecms.org/
# Software Link:
https://www.concretecms.org/download_file/8e11ad24-cc1e-4880-8553-7c18ede22c50/2658
# Version: 9.4.3
# CVE : CVE-2025-8573
# Tested on: Windows XP


'''
Description:
A stored XSS vulnerability in the Concrete CMS admin panel allows
administrators to inject malicious scripts into the site's tracking codes,
which then execute for every site visitor.

'''


Reproduction Steps:
1. Login to Concrete CMS dashboard with administrator credentials
2. Navigate to: Dashboard → System & Settings → SEO & Statistics → Tracking
Codes
3. Locate the "Footer Tracking Codes" text input field
4. Insert malicious JavaScript payload: <script>alert('XSS')</script>
5. Save the configuration changes
6. Visit any frontend page of the website

Observe JavaScript alert execution on page load