CVE-2026-7015

Vulnerability

Overview

CVE-2026-7015 describes a stored cross-site scripting (XSS) vulnerability in the Guestbook Plugin of MaxSite CMS up to version 109.3. The issue arises from insufficient sanitization of user-supplied input passed through parameters such as f_text, f_slug, f_limit, and f_email. The vendor acknowledges this as a violation of secure coding standards, noting that the lack of filtering via htmlspecialchars() has been fixed in the latest patch [1].

Exploitation

An attacker can exploit this vulnerability remotely without requiring authentication, as the Guestbook Plugin is publicly accessible. By crafting malicious JavaScript payloads within the affected parameters, the attacker can inject scripts that are stored on the server and later executed in the browsers of other users viewing the guestbook entries. The exploit has been publicly disclosed, increasing the risk of active exploitation [4].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's session. This can lead to theft of session cookies, defacement of the guestbook page, or redirection to malicious sites. The vendor classifies this as a "Self-XSS" scenario, but the stored nature of the vulnerability means any visitor to the guestbook could be affected, not just the attacker themselves [1].

Mitigation

The vulnerability is patched in MaxSite CMS version 109.4, which includes the commit 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7 that adds proper output encoding using htmlspecialchars() [1]. Users are strongly advised to upgrade to version 109.4 or later. No workarounds have been provided, and the vendor recommends upgrading the affected component [1].