CVE-2018-18711
Description
An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can change the super administrator's password via index.php?m=core&f=panel&v=edit_info.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CSRF in WUZHI CMS 4.1.0 allows attackers to change the super administrator's password without user interaction.
Vulnerability
A Cross-Site Request Forgery (CSRF) vulnerability exists in WUZHI CMS version 4.1.0. The password change functionality at /index.php?m=core&f=panel&v=edit_info does not implement CSRF tokens, allowing an attacker to forge requests. The vulnerability is triggered when a logged-in super administrator visits a malicious page [1].
Exploitation
An attacker crafts a malicious HTML page that automatically submits a POST request to the vulnerable endpoint. The PoC includes a form targeting the password change action with a new password value. The attacker must lure the authenticated super administrator (uid=1) into opening the page (e.g., via phishing or embedding in a trusted site) [1].
Impact
Successful exploitation enables the attacker to change the super administrator's password without the administrator's knowledge. This leads to full account takeover, allowing the attacker to access all CMS functionality and data. The impact is a complete compromise of the CMS's security [1].
Mitigation
No official patch or update was available at the time of publication. As a workaround, developers should implement CSRF tokens for all sensitive actions, especially those involving user or administrative account modifications. Alternatively, restrict access to the admin panel or use additional request validation [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing CSRF protection on super administrator profile modification endpoints allows an attacker to forge state-changing requests."
Attack vector
An attacker crafts a malicious HTML page containing auto-submitting forms that target the two vulnerable POST endpoints. When a logged-in super administrator (uid=1) visits the attacker's page, the forms are submitted silently via hidden iframes, changing the admin's username to "hacker" and password to "123456" [ref_id=1]. The attack requires no special privileges beyond tricking the authenticated super administrator into opening the crafted page [ref_id=1].
Affected code
The vulnerability affects the super administrator profile editing functionality in WUZHI CMS 4.1.0. The two vulnerable endpoints are `index.php?m=member&f=index&v=edit&uid=1` (for changing the username) and `index.php?m=core&f=panel&v=edit_info` (for changing the password) [ref_id=1]. Both endpoints accept POST requests without any CSRF token or origin validation.
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] identifies that the two POST methods lack CSRF protection. The remediation would require the application to implement anti-CSRF tokens on both forms (`index.php?m=member&f=index&v=edit&uid=1` and `index.php?m=core&f=panel&v=edit_info`) and validate the token on the server side before processing any state-changing request [ref_id=1].
Preconditions
- authThe super administrator (uid=1) must be logged into WUZHI CMS 4.1.0
- inputThe attacker must trick the super administrator into visiting a crafted HTML page (e.g., via social engineering)
- authThe victim's browser must have an active session cookie for the target WUZHI CMS instance
Reproduction
1. Log in as the super administrator (uid=1) to a WUZHI CMS 4.1.0 instance at `http://localhost:8008/wuzhicms/`. 2. Create an HTML file containing the combined PoC form from [ref_id=1] that submits to `index.php?m=member&f=index&v=edit&uid=1&_su=wuzhicms&_menuid=30&submit` (username change) and `index.php?m=core&f=panel&v=edit_info&_su=wuzhicms&_menuid=20&submit` (password change). 3. Have the logged-in super administrator open the HTML file in the same browser. 4. The forms auto-submit via hidden iframes, changing the username to "hacker" and password to "123456" [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/wuzhicms/wuzhicms/issues/156mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.