CVE-2018-17832
Description
XSS exists in WUZHI CMS 2.0 via the index.php v or f parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WUZHI CMS 2.0 is vulnerable to reflected cross-site scripting (XSS) via the v and f parameters in index.php.
Vulnerability
WUZHI CMS 2.0 is vulnerable to reflected cross-site scripting (XSS) in the index.php script. The vulnerability exists in the v and f parameters of the GET request method. An attacker can inject arbitrary JavaScript code through these parameters without any authentication or special conditions [1][2].
Exploitation
An attacker can craft a malicious URL containing an XSS payload in the v or f parameter, for example: http://Target/index.php?v=">RENZI. The victim must be tricked into clicking the crafted link. No special network position or privileges are required; the attack is remote [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, redirection, or theft of sensitive information [1][2].
Mitigation
No official fix has been released by the vendor for WUZHI CMS 2.0 as of the disclosure date. Users should implement input validation and output encoding for the affected parameters, or consider upgrading to a later version if available [1][2].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =2.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation and output encoding of the `v` and `f` GET parameters in `index.php` allows injection of arbitrary HTML and JavaScript."
Attack vector
An attacker crafts a malicious URL containing a JavaScript payload in either the `v` or `f` parameter of `index.php`. When a victim visits the crafted URL, the browser executes the injected script because the application does not validate or encode the parameter values before rendering them in the HTML page [ref_id=1]. The attack is performed remotely via a simple GET request and requires no authentication [ref_id=1].
Affected code
The vulnerability is located in the `index.php` script of WUZHI CMS 2.0. The `v` and `f` GET parameters are passed directly into the page output without sanitization or encoding [ref_id=1].
What the fix does
The advisory does not provide a patch or code-level fix. It recommends general XSS prevention practices: never insert untrusted data into HTML contexts without escaping, validate all input characters, and escape special characters such as `%25` in URLs [ref_id=1]. No official fix from the vendor has been published in the disclosed material.
Preconditions
- inputThe victim must visit a crafted URL containing the malicious payload in the v or f parameter.
- networkNo authentication is required; the attack is performed remotely via a GET request.
Reproduction
1. Access the application at `http://demo.wuzhicms.com/index.php?v=">
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/exploits/45514/mitreexploitx_refsource_EXPLOIT-DB
- cxsecurity.com/issue/WLB-2018050139mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.