CVE-2018-5215

Vulnerability

Fork CMS 5.0.7 is vulnerable to stored cross-site scripting (XSS) via the title parameter on the /private/en/pages/edit page. An authenticated user with page editing permissions can inject arbitrary HTML or JavaScript code into the title field. The input is not properly sanitized before being stored and later rendered when the page is viewed or edited, leading to persistent code execution in the browser context of other administrators [1][3].

Exploitation

An attacker must be logged in to the Fork CMS admin panel with privileges to edit pages. To exploit, the attacker navigates to /private/en/pages/edit for a target page, inserts a payload (e.g., ">) into the title parameter, and saves the page edit. The payload is stored and triggers in the browser of any user who subsequently views the edited page list or the affected page itself [1][3].

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary JavaScript in the context of other admin users' browsers. This can lead to session hijacking, defacement, or theft of sensitive administrative tokens. Because the attack is stored, it affects all subsequent viewers of the compromised page metadata [1][3].

Mitigation

No official patch or fixed version has been announced by the Fork CMS maintainers [2]. Users are advised to restrict admin account creation and apply manual input validation on the title field, or upgrade to a later version if available. The vulnerability is unpatched as of the publication date [1].