CVE-2018-10311 in WUZHI
Summary
by MITRE
A vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the tag[pinyin] parameter to the /index.php?m=tags&f=index&v=add URI.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/05/2025
The vulnerability identified as CVE-2018-10311 represents a critical persistent cross-site scripting flaw within WUZHI CMS version 4.1.0. This security weakness resides in the tags module of the content management system, specifically within the index action of the tags controller. The vulnerability manifests when the application fails to properly sanitize user input submitted through the pinyin parameter, which is processed in the URI path /index.php?m=tags&f=index&v=add. Attackers can exploit this flaw by crafting malicious script code within the pinyin parameter value, which gets stored in the application's database and subsequently executed whenever the affected page is rendered to unsuspecting users.
The technical implementation of this vulnerability aligns with CWE-79 which defines cross-site scripting as a code injection vulnerability where untrusted data is embedded into web pages viewed by other users. This particular instance demonstrates a persistent XSS flaw rather than a reflected one, meaning the malicious payload is stored server-side and executed on subsequent page requests rather than requiring the victim to click on a specially crafted link. The attack vector specifically targets the tag management functionality of the CMS, where the pinyin parameter serves as an identifier for tag creation. When an attacker submits malicious input through this parameter, the CMS fails to validate or escape the content before storing it, creating a persistent threat that affects all users who view pages containing the compromised tag data.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform session hijacking, deface websites, steal user credentials, or redirect victims to malicious domains. The persistent nature of the flaw means that once exploited, the malicious scripts will continue to execute for all users who encounter the affected content until the vulnerability is patched and the malicious data is removed from the database. This creates a prolonged attack surface that can be leveraged for various malicious activities including data exfiltration, user tracking, and establishment of backdoors within the compromised system. The vulnerability particularly affects web applications that rely on user-generated content for tagging functionality, making it a significant concern for content management systems that allow public tag creation features.
Security mitigations for CVE-2018-10311 should focus on implementing proper input validation and output escaping mechanisms within the CMS. The most effective remediation involves sanitizing all user-supplied input through the pinyin parameter by applying strict validation rules and implementing HTML escaping before any data is stored in the database. Organizations should also implement Content Security Policy headers to limit the execution of unauthorized scripts within the application context. Additionally, access controls should be strengthened to limit who can create or modify tags within the system, reducing the attack surface. The vulnerability demonstrates the importance of following secure coding practices as outlined in the OWASP Top Ten and MITRE ATT&CK framework, particularly in the context of web application security controls. Regular security audits and input validation testing should be conducted to prevent similar vulnerabilities from being introduced in future versions of the CMS. System administrators should also monitor application logs for suspicious activity related to tag creation and implement automated scanning tools to detect and remediate such vulnerabilities before they can be exploited by malicious actors.