CVE-2018-1325
Description
In Apache wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1, JS code created in WYSIWYG editor will be executed on display.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache wicket-jquery-ui WYSIWYG editor allows stored XSS via crafted JS code.
Vulnerability
In Apache wicket-jquery-ui versions 6.29.0 and earlier, 7.10.1 and earlier, and 8.0.0-M9.1 and earlier, JavaScript code created in the WYSIWYG editor is executed when the content is displayed, leading to a stored cross-site scripting (XSS) vulnerability [1].
Exploitation
An attacker with write access to the WYSIWYG editor can inject malicious JavaScript code into the input. When the crafted content is rendered in a browser, the injected script executes in the context of the viewer's session [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to information disclosure, session hijacking, or other malicious actions [1].
Mitigation
Upgrade to a version later than the affected ones: for the 6.x line, upgrade to 6.29.1 or later; for 7.x, upgrade to 7.10.2 or later; for 8.x, upgrade to 8.0.0-M10 or later. No workaround is documented [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.googlecode.wicket-jquery-ui:wicket-jquery-ui-parentMaven | < 6.29.1 | 6.29.1 |
com.googlecode.wicket-jquery-ui:wicket-jquery-ui-parentMaven | >= 7.0.0, < 7.10.2 | 7.10.2 |
com.googlecode.wicket-jquery-ui:wicket-jquery-ui-parentMaven | >= 8.0.0-M1, < 8.0.0-M9.2 | 8.0.0-M9.2 |
Affected products
3- Range: <=6.29.0, <=7.10.1, <=8.0.0-M9.1
- Apache Software Foundation/wicket-jquery-uiv5Range: wicket-jquery-ui <= 6.29.0, <= 7.10.1, <= 8.0.0-M9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-pjv3-rh6v-2pj8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-1325ghsaADVISORY
- markmail.org/message/6bxjyaolehhq7jrlghsamailing-listx_refsource_MLISTWEB
News mentions
0No linked articles in our index yet.