CVE-2018-10312

Vulnerability

In WUZHI CMS version 4.1.0, the password reset functionality at index.php?m=member&v=pw_reset for common members does not include a CSRF token or any anti-forgery mechanism [1]. This allows an attacker to trick a logged-in member into submitting a crafted request that changes their password without their consent.

Exploitation

An attacker can create a malicious HTML page containing a form that submits a POST request to the vulnerable endpoint with the desired new password. The victim, who is already authenticated as a common member, only needs to visit this page for the password change to occur [1]. The provided proof-of-concept demonstrates a hidden form that submits the password fields automatically.

Impact

Successful exploitation results in an attacker changing the victim's password, leading to full account takeover of the common member account. The attacker can then log in as the victim and access any member-level functionality.

Mitigation

As of the publication date (April 2018), no official fix has been released for this vulnerability [1]. Administrators should implement CSRF protection on the password reset form, such as adding a unique token validated on the server side. Users should avoid visiting untrusted pages while logged into the CMS.