CVE-2018-10311

Vulnerability

A persistent cross-site scripting (XSS) vulnerability exists in WUZHI CMS version 4.1.0. The flaw resides in the tag management functionality, specifically in the /index.php?m=tags&f=index&v=add endpoint. The tag[pinyin] parameter is not properly sanitized before being stored and later rendered in the admin panel, allowing attackers to inject arbitrary web script or HTML. The vulnerability is triggered when the injected data is displayed on the page /index.php?m=core&f=index&_su=wuzhicms [1].

Exploitation

To exploit this vulnerability, an attacker must have access to the tag creation form, which typically requires administrative or editor-level privileges in the WUZHI CMS backend. The attacker submits a POST request to /index.php?m=tags&f=index&v=add with a crafted tag[pinyin] parameter containing a malicious payload, such as <img/src=1 onerror=alert(document.cookie)>. The payload is stored in the database and executed when an administrator or user visits the affected admin page, as the stored data is output without proper encoding [1].

Impact

Successful exploitation leads to persistent execution of arbitrary JavaScript in the context of the victim's browser session. This can result in theft of session cookies, credential harvesting, defacement, or further attacks against the CMS backend. The attacker is not required to be on the same network as the victim; the XSS payload persists and affects any authenticated user who views the tag list [1].

Mitigation

As of the publication date (April 24, 2018), no official patch or fixed version has been released by the vendor for WUZHI CMS 4.1.0. Users should sanitize all user-supplied input, particularly in the tag[pinyin] parameter, and apply output encoding in templates. Upgrading to a later version (if available) or applying a web application firewall (WAF) rule to block XSS payloads in this parameter is recommended. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog [1].