📄 Description (English)
Craft CMS is a content management system (CMS). In versions 5.9.0-beta.1 through 5.9.10, the revision/draft context menu in the element editor renders the creator’s fullName as raw HTML due to the use of Template::raw() combined with Craft::t() string interpolation. A low-privileged control panel user (e.g., Author) can set their fullName to an XSS payload via the profile editor, then create an entry with two saves. If an administrator is logged in and executes a specifically crafted payload while an elevated session is active, the attacker’s account can be elevated to administrator. This issue has been fixed in version 5.9.11.
🤖 AI Executive Summary
Craft CMS versions 5.9.0-beta.1 through 5.9.10 contain a stored XSS vulnerability in the revision/draft context menu that allows low-privileged users to inject malicious HTML through their fullName field. An attacker can exploit this to escalate privileges to administrator when an admin views the crafted payload, potentially compromising the entire CMS and associated content. This vulnerability requires user interaction but poses significant risk to organizations using Craft CMS for content management.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 28, 2026 06:55
🇸🇦 Saudi Arabia Impact Assessment
Saudi organizations using Craft CMS for content management—particularly government agencies, media organizations, educational institutions, and corporate communications departments—face privilege escalation risks. Government entities under NCA oversight and organizations handling sensitive content are most at risk. The vulnerability could allow unauthorized administrative access to modify, delete, or exfiltrate content. Media and publishing sectors in Saudi Arabia relying on Craft CMS for digital content distribution are particularly vulnerable to content tampering and defacement attacks.
🏢 Affected Saudi Sectors
Government and Public Administration
Media and Publishing
Education
Corporate Communications
Digital Marketing Agencies
E-commerce
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
6.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Upgrade Craft CMS to version 5.9.11 or later immediately
2. Audit all user accounts with Author or higher privileges for suspicious fullName entries containing HTML/JavaScript
3. Review revision and draft history for entries modified by low-privileged users in the past 30 days
4. Force password reset for all administrative accounts
5. Review access logs for unauthorized administrative actions
PATCHING GUIDANCE:
- Apply security patch 5.9.11 to all Craft CMS installations
- Test patch in staging environment before production deployment
- Verify Template::raw() usage is properly sanitized in custom plugins
COMPENSATING CONTROLS (if immediate patching not possible):
- Restrict Author role permissions to prevent fullName modification
- Implement Web Application Firewall (WAF) rules to block XSS patterns in user profile submissions
- Disable revision/draft context menu for non-administrative users
- Implement strict Content Security Policy (CSP) headers
DETECTION RULES:
- Monitor for fullName field updates containing <script>, javascript:, onerror=, onclick= patterns
- Alert on privilege escalation events (Author to Admin role changes)
- Log all administrative account modifications and review for anomalies
- Monitor for unusual revision/draft access patterns from low-privileged accounts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. ترقية Craft CMS إلى الإصدار 5.9.11 أو أحدث فوراً
2. تدقيق جميع حسابات المستخدمين ذات صلاحيات المؤلف أو أعلى للبحث عن إدخالات اسم كامل مريبة تحتوي على HTML/JavaScript
3. مراجعة سجل المراجعات والمسودات للإدخالات المعدلة من قبل المستخدمين ذوي الصلاحيات المنخفضة في آخر 30 يوماً
4. فرض إعادة تعيين كلمة المرور لجميع الحسابات الإدارية
5. مراجعة سجلات الوصول للإجراءات الإدارية غير المصرح بها
إرشادات التصحيح:
- تطبيق تصحيح الأمان 5.9.11 على جميع تثبيتات Craft CMS
- اختبار التصحيح في بيئة التجريب قبل نشره في الإنتاج
- التحقق من أن استخدام Template::raw() يتم تنظيفه بشكل صحيح في المكونات الإضافية المخصصة
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
- تقييد صلاحيات دور المؤلف لمنع تعديل الاسم الكامل
- تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحجب أنماط XSS في تقديمات ملف تعريف المستخدم
- تعطيل قائمة السياق للمراجعات والمسودات للمستخدمين غير الإداريين
- تنفيذ رؤوس سياسة أمان المحتوى (CSP) صارمة
قواعد الكشف:
- مراقبة تحديثات حقل الاسم الكامل التي تحتوي على أنماط <script>، javascript:، onerror=، onclick=
- تنبيهات على أحداث رفع الامتيازات (تغييرات دور المؤلف إلى الإدارة)
- تسجيل جميع تعديلات الحسابات الإدارية ومراجعتها للشذوذ
- مراقبة أنماط الوصول غير العادية للمراجعات والمسودات من الحسابات ذات الصلاحيات المنخفضة
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
5.2.1 - Access Control and Authentication
5.3.1 - Input Validation and Output Encoding
5.4.2 - Security Testing and Vulnerability Management
5.5.1 - Incident Detection and Response
🔵 SAMA CSF
ID.AM-2 - Software Inventory
PR.AC-1 - Access Control
PR.DS-2 - Data Security
DE.CM-1 - Detection and Analysis
🟡 ISO 27001:2022
A.5.2.1 - User Registration and Access Rights Management
A.5.2.3 - Management of Privileged Access Rights
A.6.5.2 - Secure Development Policy
A.8.2.3 - Segregation of Duties
A.12.6.1 - Management of Technical Vulnerabilities
🟣 PCI DSS v4.0.1
Requirement 6.5.1 - Injection Flaws
Requirement 6.5.7 - Cross-Site Scripting (XSS)
Requirement 7.1 - Limit Access to System Components
🔗 References & Sources 3
🔗
https://github.com/craftcms/cms/commit/f634a9d21edcafd83a6716047d275f985aba6be1
security-advisories@github.com
Patch
🔗
https://github.com/craftcms/cms/releases/tag/5.9.11
security-advisories@github.com
Product
Release Notes
🔗
https://github.com/craftcms/cms/security/advisories/GHSA-3x4w-mxpf-fhqq
security-advisories@github.com
Patch
Vendor Advisory
📦 Affected Products / CPE 1 entries
craftcms:craft_cms