CVE-2025-67165

Pagekit · Pagekit CMS

An Insecure Direct Object Reference (IDOR) vulnerability in Pagekit CMS v1.0.18 allows unauthenticated attackers to escalate privileges.

Executive summary

A critical IDOR vulnerability in Pagekit CMS v1.0.18 permits unauthorized privilege escalation, posing a severe risk to system integrity and administrative control.

Vulnerability

This vulnerability involves an Insecure Direct Object Reference (IDOR) flaw within the application logic. It allows an unauthenticated attacker to manipulate object references to gain unauthorized elevated privileges.

Business impact

Successful exploitation allows an attacker to gain administrative access, potentially leading to full system compromise. With a CVSS score of 9.8, the risk of unauthorized data access, configuration modification, and complete service takeover is extreme. This represents a critical threat to the confidentiality, integrity, and availability of the affected environment.

Remediation

Immediate Action: Upgrade Pagekit CMS to the latest stable release provided by the vendor. Ensure all security patches are applied to remediate the IDOR vulnerability.

Proactive Monitoring: Monitor server access logs for unusual patterns, specifically focusing on requests targeting administrative endpoints or unauthorized parameter manipulation.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to inspect and block suspicious input parameters and unauthorized access attempts.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

The severity of this vulnerability necessitates immediate remediation. Administrators should prioritize updating the Pagekit CMS instance to a patched version to prevent unauthorized privilege escalation and maintain system security.