CI4MS, a CodeIgniter 4-based CMS skeleton, stores user input in its System Settings – Social Media Management module without proper encoding. Inputs for fields such as Social Media and Social Media Link are accepted from users, saved to the database, and later rendered directly into page content. This creates a stored DOM XSS flaw that, when executed in a victim’s browser, can hijack sessions, exfiltrate credentials, alter displayed content, or elevate privileges, allowing an attacker to compromise the entire platform and take over any account that can view the affected pages. The description does not specify the capabilities required to inject input, but the stored nature of the flaw implies that an attacker must be able to submit values to the social media settings. In typical deployments, modifying system settings requires an authenticated user with administrative permissions, so the attack vector is likely an authenticated user or a compromised account.

All installations of ci4-cms-erp’s CI4MS CMS older than version 0.31.0.0 are affected. The vulnerability exists in the System Settings – Social Media Management module and impacts every configuration field that accepts user input within that module across all pre-patched releases.

The CVSS score of 4.7 indicates a low severity rating, yet the potential impact of a successful exploitation could be catastrophic, providing full platform compromise and privilege escalation. The EPSS score of <1% suggests that active exploitation is unlikely at the moment, and the issue is not listed in the CISA KEV catalog. Attackers would need to reach the vulnerable input fields—most likely through an account with permission to edit system settings—to store a malicious payload. Once stored, the code would be executed in the browsers of any authenticated user who views those pages, making the vulnerability dangerous if privileged access is obtained.