VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 16, 2014· Updated May 6, 2026

CVE-2014-8751

CVE-2014-8751

Description

Multiple cross-site scripting (XSS) vulnerabilities in goYWP WebPress 13.00.06 allow remote attackers to inject arbitrary web script or HTML via the (1) search_param parameter to search.php or (2) name, (3) address, or (4) comment parameter to forms.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Goywp/Webpress2 versions
    cpe:2.3:a:goywp:webpress:13.00.06:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:goywp:webpress:13.00.06:*:*:*:*:*:*:*
    • (no CPE)range: = 13.00.06

Patches

Vulnerability mechanics

Root cause

"Missing input sanitization allows user-controlled parameters to be reflected in web page output without neutralization."

Attack vector

An attacker can inject arbitrary HTML or JavaScript by sending a crafted HTTP GET request to search.php with a malicious search_param value, or by submitting a crafted HTTP POST request to forms.php with malicious name, address, or comment values [ref_id=1]. The injected script executes in the context of the victim's browser when the page is rendered, enabling theft of cookies, session tokens, or other sensitive data [CWE-79]. No authentication is required and the attack can be delivered via a simple link or form submission.

Affected code

The vulnerable code paths are the search.php page (search_param parameter via HTTP GET) and the forms.php page (name, address, and comment parameters via HTTP POST) [ref_id=1]. The advisory does not specify exact function names or line numbers.

What the fix does

No patch is available in the bundle. The advisory [ref_id=1] does not provide remediation code or vendor fix details. The vendor should implement proper output encoding or input validation for the search_param parameter on search.php and the name, address, and comment parameters on forms.php to neutralize HTML metacharacters before rendering them in the response [CWE-79].

Preconditions

  • networkAttacker must be able to send HTTP requests to the target WebPress instance.
  • inputNo authentication required; attacker supplies malicious payload in search_param (GET) or name/address/comment (POST) parameters.

Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

0

No linked articles in our index yet.