CVE-2026-7012

Vulnerability

Overview

CVE-2026-7012 describes a cross-site scripting (XSS) vulnerability in MaxSite CMS versions up to 109.3, specifically within the Redirect Plugin. The issue stems from insufficient sanitization of the f_all and f_all404 arguments parameters, which are not passed through htmlspecialchars()` before being rendered. The vendor classifies this as a "Self-XSS" and acknowledges it as a violation of secure coding standards [1].

Exploitation

An attacker can exploit this vulnerability remotely without authentication, as the affected parameters are user-controllable inputs in the plugin's admin interface. The attack requires the victim to be logged in as an administrator and to interact with a crafted link or form that injects malicious script into the plugin settings. Since the XSS is self-contained (Self-XSS), the attacker cannot directly target other users unless they trick an admin into executing the payload [4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the admin's session. This could lead to unauthorized actions such as modifying site configuration, exfiltrating session cookies, or performing other administrative operations. However, the impact is limited to the admin's own browser session, reducing the overall severity [1][4].

Mitigation

The vulnerability is patched in MaxSite CMS version 109.4, which adds htmlspecialchars() to the output of the f_logging_file parameter in the Redirect Plugin [1]. Users should upgrade to version 109.4 or apply the commit 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7 to mitigate the issue. No workarounds are provided, but the patch is straightforward [2][3].