CVE-2018-10367 in WUZHI
Summary
by MITRE
An issue was discovered in WUZHI CMS 4.1.0. The content-management feature has Stored XSS via the title or content section.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/05/2025
The vulnerability identified as CVE-2018-10367 represents a critical security flaw within WUZHI CMS version 4.1.0 that exposes the content management system to persistent cross-site scripting attacks. This issue specifically targets the CMS's content management capabilities where user input is not properly sanitized before being stored and subsequently rendered back to users. The vulnerability exists in the title or content sections of the CMS, making it particularly dangerous as these are fundamental components of any content management system where users routinely input and display textual information.
The technical implementation of this stored cross-site scripting vulnerability stems from inadequate input validation and output encoding mechanisms within the WUZHI CMS framework. When administrators or users submit content containing malicious javascript payloads through the title or content fields, the CMS fails to adequately filter or escape these inputs before storing them in its database. Subsequently, when other users access the affected content, the malicious scripts execute within their browser context, potentially leading to session hijacking, credential theft, or redirection to malicious websites. This vulnerability maps directly to CWE-79 which defines the classic cross-site scripting weakness where untrusted data is directly incorporated into web pages without proper validation or encoding.
The operational impact of this vulnerability extends far beyond simple script execution, as it provides attackers with a persistent foothold within the CMS environment. An attacker who successfully exploits this vulnerability can manipulate content displayed to other users, potentially compromising the integrity of the entire website. The stored nature of this XSS means that the malicious payload remains active even after the initial injection, allowing attackers to maintain access and execute commands over extended periods. This vulnerability particularly affects content management workflows where multiple users interact with the system, as any compromised user account could become a vector for further attacks against other system users.
From a threat modeling perspective, this vulnerability aligns with ATT&CK technique T1059.007 which describes the use of script-based commands in web applications. The exploitation of this flaw could enable attackers to perform actions such as stealing administrator cookies, modifying website content, or redirecting users to phishing sites. The vulnerability's impact is amplified in environments where the CMS serves as a primary interface for content management, as it provides attackers with a persistent mechanism to compromise the website's security posture. Organizations using WUZHI CMS 4.1.0 should immediately implement input sanitization measures and output encoding to prevent malicious payloads from being stored and executed. The recommended mitigations include implementing strict input validation, applying proper HTML encoding to all user-generated content, and ensuring that the CMS is updated to a version that addresses this specific vulnerability. Additionally, security monitoring should be enhanced to detect unusual content modifications that might indicate exploitation attempts.