CVE-2018-9927

Vulnerability

WUZHI CMS 4.1.0 contains a cross-site request forgery (CSRF) vulnerability in the member add functionality at index.php?m=member&f=index&v=add. The endpoint does not validate a CSRF token, enabling an attacker to craft a malicious HTML page that, when visited by an authenticated administrator, silently creates a new account. Two proof-of-concept pages are provided: one that adds a normal user and one that adds an administrator account [1].

Exploitation

An attacker must trick an authenticated administrator into opening a crafted HTML page (e.g., via email, forum post, or social engineering). The page uses JavaScript to automatically submit a POST request to the vulnerable endpoint with predefined parameters such as username, password, and groupid. For the administrator account, groupid is set to 3. No further user interaction is required beyond loading the page [1].

Impact

Successful exploitation allows the attacker to create a new user or administrator account on the WUZHI CMS instance. By creating an administrator, the attacker gains full control over the CMS, including the ability to modify content, access sensitive data, and potentially execute code. This leads to a complete compromise of the application [1].

Mitigation

As of the referenced GitHub issue (reported 2018-04-10), no official patch has been released. Administrators should implement CSRF protection manually by adding anti-CSRF tokens to the vulnerable endpoint or restrict access to the account creation functionality via IP whitelisting or authentication checks. If the application is no longer maintained, consider migrating to an alternative CMS [1].