DolphinPHP User Management Page cross site scripting

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in DolphinPHP through version 1.5.0 [1]. The flaw resides in the User Management page, where the system fails to properly sanitize the nickname POST parameter [1]. When an authenticated user sets their nickname to include malicious JavaScript, the unsanitized value is stored and later rendered without encoding, leading to script execution.

Exploitation

An attacker must have valid credentials to log into the DolphinPHP backend [1]. After login, the attacker navigates to personal settings (e.g., user profile) and inserts a malicious payload such as `` into the nickname field. Subsequently, when any administrator visits "User" → "Permission Management" → "User Management", the stored payload executes in the context of the victim's browser session [1]. The attack can be launched remotely with no additional privileges beyond a standard user account.

Impact

Successful exploitation results in arbitrary JavaScript execution within the admin interface, potentially leading to session hijacking, defacement, or theft of sensitive data accessible through the admin panel. The attacker gains the ability to perform actions on behalf of the victim administrator, escalating the impact to full administrative control [1].

Mitigation

A fix has not been officially released; DolphinPHP version 1.5.0 is the latest affected version [1]. As a workaround, users should apply input validation and output encoding on the nickname field, and restrict admin panel access to trusted users. No CISA KEV listing is associated with this CVE.