CVE-2018-10313

Vulnerability

A persistent cross-site scripting (XSS) vulnerability exists in WUZHI CMS version 4.1.0. The flaw is located in the profile update functionality accessed via /index.php?m=member&f=index&v=profile&set_iframe=1. The form%5Bqq_10%5D (URL-encoded form[qq_10]) parameter is not properly sanitized, allowing arbitrary HTML and JavaScript to be stored in the application. [1]

Exploitation

An authenticated attacker (a registered member) can exploit this vulnerability by sending a POST request to the profile update URI with malicious script code in the form[qq_10] parameter. The payload is stored in the database. Subsequently, when a backend administrator views that member's personal information, the stored script executes in the administrator's browser. [1]

Impact

Successful exploitation results in persistent XSS, enabling an attacker to execute arbitrary JavaScript in the context of an administrator's session. This can lead to session hijacking, defacement, or theft of sensitive information, effectively compromising the administrative interface. [1]

Mitigation

As of the publication date (2018-04-24), no official patch has been released. Users are advised to restrict access to the profile update functionality or apply input validation and output encoding manually. Consider upgrading to a later version if available. [1]