Mara CMS 7.5 - Reflected Cross-Site Scripting

Sooraj V Nair
Published on
10 Jan 2022


Any authenticated user can inject malicious code using the parameter contact.php?theme=inject> resulting in a Reflected XSS vulnerability.

The flaw arises because the parameter hasn’t been properly sanitised, which might result in malicious code being injected and executed on the target’s browser.


  • Update Mara CMS to the latest version
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Sooraj V Nair
Sooraj V Nair
Cyber Security Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment