Name:MODX Revolution 2.5.6
Software:MODX CMS
Vulnerability:stored WCI
Prerequisites:attacker needs to be authenticated and with permission to edit roles


Several stored WCI (a.k.a XSS) were discovered in the latest MODX Revolution code. Authenticated user with permissions to edit roles can use it to execute malicious JavaScript and possibly take control over victims' accounts.

Proof of Concept

The functionality is located at:

(settings) -> Access Control Lists -> User Group & Users -> New User Group -> Name

Set the name of the group to:

<h1 style=color:red>Malicious</h1><img src=x onerror=alert(1)>

Set the description of the group to:

<h1 style=color:red>Malicious group</h1><img src=x onerror=alert(2)>

Following request is made after saving the form:

POST /connectors/index.php HTTP/1.1
modAuth: modx58dd6b78abecd0.81702322_158e1f669c75121.62443671
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 303
Cookie: PHPSESSID=mq0kub9tiu3dv7l00ec472n9v6
Connection: close


The payload is executed when the victim visits various pages where groups are rendered on the page:


Taking control over site's administrator leads to full compromise since the administrator can execute PHP by installing a plugin on the site. Attacker with permissions to edit user groups can use the functionality to execute malicious JavaScript on the victim's browsers. This can be used to take control over other users' sessions, which in turn leads to full site compromise if code is executed by the administrator.


Authenticated attacker with permissions to edit user groups can take control over administrator session and possibly execute PHP code on the server.

Following release has been published mitigating the issue:


  • 01.04.2017 | me > developer     | vulnerability discovered
  • 03.04.2017 | me > developer     | sent the report to the developers
  • 13.04.2017 | developer > me     | acknowledged the finding
  • 21.04.2017 | developer > public | new version released
  • 29.04.2017 | me > developer     | reported issues with the fix; no response
  • 22.08.2017 | DWF > developer    | CVE assigned
  • 31.08.2017 | me > public        | full disclosure