CVE-2018-18939

Vulnerability

WUZHI CMS version 4.1.0 contains a stored cross-site scripting (XSS) vulnerability in index.php?m=core&f=index. The issue occurs in a seventh input field that does not sanitize user-supplied input before storing it. An authenticated administrator can inject arbitrary HTML or JavaScript, which is saved and later executed when other users visit the homepage [1].

Exploitation

To exploit this vulnerability, an attacker must first log in as an administrator to the WUZHI CMS backend. The attacker then navigates to the core index page and locates the seventh input field (as described in the advisory). By submitting a crafted payload such as `` in that field, the input is stored server-side. Subsequently, when any user (including other administrators) views the homepage, the stored script executes in their browser [1].

Impact

Successful exploitation allows the attacker to execute arbitrary web scripts in the context of the affected application, potentially leading to session hijacking, defacement, or theft of sensitive data such as cookies and authentication tokens. The compromise occurs with the privileges of the victim user viewing the homepage [1].

Mitigation

As of the publication date (2018-11-05), no official patch for WUZHI CMS 4.1.0 is available in the references. Users should upgrade to a newer version if a fix is released, or implement input validation and output encoding on the seventh input field as a workaround. The vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].