CVE-2018-18938

Vulnerability

The vulnerability is a stored cross-site scripting (XSS) issue in WUZHI CMS version 4.1.0. It resides in the index.php?m=core&f=index functionality, specifically within a second input field that uses the details/open element. An attacker can inject an ontoggle attribute containing malicious JavaScript, which gets stored and executed when the page is viewed. The affected version is 4.1.0 [1].

Exploitation

Exploitation requires an attacker to have administrative access to the CMS. The attacker logs in as an admin, navigates to the vulnerable input field, and inserts a payload such as <details/open/ontoggle=eval(String.fromCharCode(...))>. Upon submitting and subsequently viewing the page, the ontoggle event triggers, executing the injected script [1].

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of the admin session. This can result in session hijacking, defacement, or theft of sensitive information. The attack is persistent as the payload remains in the database [1].

Mitigation

As of the publication date, no official patch or mitigation has been released. Administrators should restrict access to admin accounts, validate and sanitize all user inputs, and consider upgrading to a newer version if available. The vulnerability is not listed on the CISA KEV [1].