CVE-2018-9926

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability exists in WUZHI CMS 4.1.0 in the /index.php?m=core&f=power&v=add endpoint. This endpoint lacks CSRF protection, allowing an attacker to craft a malicious page that, when visited by an authenticated administrator, can add a new admin account with arbitrary credentials [1]. The vulnerability affects WUZHI CMS version 4.1.0.

Exploitation

To exploit this vulnerability, an attacker must trick an authenticated administrator into visiting a specially crafted HTML page (or clicking a link that triggers the payload). The PoC provided demonstrates a form that automatically submits a POST request to the vulnerable endpoint with predefined parameters for a new admin account (username, password, email, etc.) [1]. No additional user interaction is required beyond accessing the malicious page.

Impact

Successful exploitation allows an attacker to create a new administrator account, granting full control over the CMS. This can lead to unauthorized access, data modification, deletion, and further compromise of the web application and its underlying server.

Mitigation

As of the publication date, no official patch has been released for CVE-2018-9926 [1]. Administrators should consider implementing CSRF tokens manually or restricting access to the vulnerable endpoint. Upgrading to a newer version of WUZHI CMS beyond 4.1.0 may address this issue, but the vendor's status is unclear. Applying general CSRF defenses, such as SameSite cookies and anti-CSRF tokens, is recommended.