CVE-2025-8506

Root

Cause

The vulnerability is a stored cross-site scripting (XSS) issue found in the /user/editUI endpoint of the wx-shop project (commit up to de1b66331368695779cfc6e4d11a64caddf8716e). The backend API /user/saveUser fails to properly validate or sanitize user-supplied input. According to code analysis, the global filter lacks malicious parameter filtering, and the Controller, Service, and DAO layers all trust user input without validation [1]. Furthermore, the application does not HTML-entity-encode data when storing it in the database or when rendering it back to the browser [1].

Attack

Vector

An attacker can remotely exploit this by crafting a malicious payload and submitting it via the /user/editUI form. The attack requires prior knowledge of valid administrator credentials, as the endpoint is part of the backend management system [1]. The lack of input validation allows the direct injection of harmful script content into backend storage.

Impact

When another user (including an administrator) views the stored malicious data, the injected script executes in their browser context. This can lead to session hijacking, defacement, or other client-side attacks. The disclosure of a proof-of-concept exploit raises the risk of active exploitation [1].

Mitigation

The project follows a rolling-release model, so no version-specific patch is available [description]. Developers should implement server-side input validation and output encoding to neutralize XSS payloads. Until fixed, administrators should restrict access to the backend interface.