CVE-2018-10391

Vulnerability

A persistent cross-site scripting (XSS) vulnerability exists in WUZHI CMS version 4.1.0. The email parameter in the user registration form at /index.php?m=member&v=register is not properly sanitized before being stored and later rendered. An attacker can inject arbitrary web script or HTML into this field, and the payload is executed when a privileged administrator views the personal information of the registered member. [1]

Exploitation

An attacker does not need special privileges; they only need access to the registration page. The attacker crafts a malicious payload (e.g., `) and submits it as the email` value via a POST request to the registration endpoint. The payload is stored in the database. When a backend administrator views that member's profile, the injected script executes in the context of the administrator's session. [1]

Impact

Successful exploitation allows an attacker to achieve persistent XSS, leading to arbitrary script execution in an administrator's browser. This could be used to steal session cookies, perform administrative actions on behalf of the victim, or deface the admin interface. The impact is high because the attack targets a privileged user. [1]

Mitigation

As of the reference date (April 2018), no official patch or fixed version has been released for WUZHI CMS 4.1.0. Users should apply input validation and output encoding for the email field on the registration form, and consider sanitizing all user-submitted data before storage or display. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog. [1]