CVE-2018-14513

Vulnerability

An XSS vulnerability exists in WUZHI CMS version 4.1.0. The parameter form[content] in the feedback module (index.php?m=feedback&f=index&v=contact) does not properly sanitize user input, allowing stored cross-site scripting. An attacker can submit arbitrary HTML or JavaScript through a contact form submission, which is stored in the database. When an administrator accesses the Content Feedback page in the Extension module, the malicious payload executes in the administrator's browser session [1].

Exploitation

The attacker requires no authentication to submit the contact form; any remote attacker can POST a crafted form[content] value to the vulnerable endpoint. The attacker must craft a payload that survives storage and triggers upon administrator review. For example, the provided proof-of-concept uses a <details/open/ontoggle=eval(String.fromCharCode(...))> event handler that executes JavaScript when the element is toggled. The attacker sends the form, and the XSS is triggered when an administrator visits the feedback management page and interacts with the stored content, such as opening the details element [1].

Impact

Successful exploitation leads to persistent cross-site scripting in the administrative context. An attacker can execute arbitrary JavaScript in the administrator's browser, potentially stealing session cookies, performing actions on behalf of the administrator, or defacing the CMS backend. The impact is limited to the administrative interface and the privileges of the logged-in administrator who views the feedback page [1].

Mitigation

No official patch or fixed version has been released for this vulnerability in the available references. Users should consider applying input sanitization to the form[content] field in the feedback module, or restrict access to the feedback management page to trusted administrators only. As of the publication date (2018-07-23), no update is available [1].