82Flex WEIPDCRM cross site scripting

Vulnerability

A reflected cross-site scripting (XSS) vulnerability exists in the alipay_go case of the WEIPDCRM application. The code directly echoes unsanitized $_GET parameters (optEmail, payAmount, title, memo) into hidden form fields without any filtering or encoding. The vulnerable code path is triggered when the action parameter is set to alipay_go. The commit 43bad79392332fa39e31b95268e76fbda9fec3a4 introduced an XSS filter using xss_clean() to sanitize these inputs. All versions prior to this patch are affected. The product is marked as UNSUPPORTED WHEN ASSIGNED, meaning the maintainer no longer provides updates.

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing JavaScript payloads in any of the affected GET parameters (optEmail, payAmount, title, memo). No authentication or special privileges are required; the attack is launched remotely by tricking a victim into clicking the crafted link. The server reflects the payload directly into the HTML response without sanitization, causing the browser to execute the injected script in the context of the vulnerable domain.

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to session hijacking, cookie theft, defacement, or redirection to malicious sites. The impact is limited to the client side, but the attacker can perform actions on behalf of the victim if the application relies on cookies or local storage for authentication.

Mitigation

The recommended mitigation is to apply the patch from commit 43bad79392332fa39e31b95268e76fbda9fec3a4, which adds an XSS filter using xss_clean() on all GET parameters before output. Since the product is no longer supported by the maintainer, no official updates are available. Users should consider migrating to an alternative solution or manually applying the patch if they continue to use the software. No workarounds are documented in the available references [1].