CVE-2021-44116

Vulnerability

Anchor CMS versions 0.12.7 and earlier contain a stored Cross-Site Scripting (XSS) vulnerability in the /theme/posts.php file [1][3]. The application does not sanitize or filter user input when creating or editing posts via the posts column. Attackers can embed malicious JavaScript code into the post title or content fields, which is then stored and executed in the browsers of administrators who view the affected posts [1][3].

Exploitation

An attacker must have a registered user account with permission to create or edit posts (or be able to trick an admin into submitting malicious content). To exploit the vulnerability, the attacker creates a new post and inserts a crafted XSS payload (e.g., a ` tag) in the title or content field [3]. When an authenticated administrator views the post (e.g., in the admin panel or front-end page that renders posts.php`), the stored payload executes in the admin's browser session [1][3].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim administrator's session. The primary impact is cookie theft: the attacker can steal the administrator's session cookie and then impersonate that user, gaining access to the admin panel [1]. This can lead to full site compromise, including the ability to modify content, create new admin accounts, or inject further malicious code [1].

Mitigation

The Anchor CMS project is no longer maintained [2]; no patched version has been released. The vendor advises users to consider alternative platforms and not rely on Anchor CMS for production use [2]. As no fix exists, users must migrate to a different, actively maintained CMS. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.