We found results for “


Date: November 10, 2021


In Publify, versions v8.0 to v9.2.4 are vulnerable to stored XSS. A user with a “publisher” role is able to inject and execute arbitrary JavaScript code while creating a page/article.


A user with a “publisher” role is able to inject javascript while creating a page/article which assists in taking over the “admin” account.

PoC Details

In incognito mode, sign in to the application as Alice, which is a “publisher” role user.
Go to the “/admin/pages/new” endpoint and then create a page with malicious javascript payload. Publish it after putting a custom permalink. Copy the short URL generated.
On another window, login with the admin credentials and paste the short url. XSS will be triggered.

PoC Code


Affected Environments

Publify versions 8.0 to 9.2.4


Update to Publify version v9.2.5

Language: Ruby

Good to know:


Cross-Site Scripting (XSS)


Upgrade Version

Upgrade to version publify_core - 9.2.5

Learn More

Base Score:
Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): Low
Integrity (I): Low
Availability (A): None
Base Score:
Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (AU): Single
Confidentiality (C): None
Integrity (I): Partial
Availability (A): None
Additional information: