CVE-2018-16350

Vulnerability

WUZHI CMS version 4.1.0 contains a persistent cross-site scripting (XSS) vulnerability in the site configuration page. The form[statcode] parameter, passed via POST to /index.php?m=core&f=set&v=basic, is not sanitized before being stored and rendered. An attacker with administrative access to the settings panel can inject arbitrary HTML and JavaScript code into this field. [1]

Exploitation

An attacker must have administrator-level access to the WUZHI CMS backend. The exploit is performed by sending a POST request to index.php?m=core&f=set&v=basic with a crafted form[statcode] value containing malicious script, such as <details/open/ontoggle=eval(String.fromCharCode(...))>. The injected payload is stored and executed when any administrator views the affected settings page. No additional user interaction beyond viewing the page is required for the stored script to execute. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim administrator's session. This can lead to session hijacking, defacement, theft of sensitive data displayed on the page, or further compromise of the CMS instance. The attack is persistent, meaning the payload remains active until removed. [1]

Mitigation

No official fix has been released by the vendor, and the project appears to be unmaintained. As a workaround, administrators should ensure that only trusted users have backend access and consider manually sanitizing the form[statcode] input in the codebase. The software may be end-of-life; migrating to an alternative CMS is recommended. [1]