CVE-2018-14512 in WUZHI
Summary
by MITRE
An XSS vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[nickname] parameter to the index.php?m=core&f=set&v=sendmail URI. When the administrator accesses the "system settings - mail server" screen, the XSS payload is triggered.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/05/2025
This vulnerability represents a critical cross-site scripting flaw in WUZHI CMS version 4.1.0 that enables persistent attack vectors through the system's mail server configuration interface. The vulnerability specifically targets the form[nickname] parameter within the index.php?m=core&f=set&v=sendmail URI, allowing remote attackers to inject malicious web scripts or HTML content that persists within the application's data storage. The flaw manifests when administrators navigate to the "system settings - mail server" screen, where the stored XSS payload executes in their browser context, creating a persistent threat that can affect any administrator who views the affected configuration page.
The technical implementation of this vulnerability follows CWE-79 Cross-site Scripting patterns, where user-supplied input fails to undergo proper sanitization or encoding before being rendered in the web application's output. The persistent nature of this XSS vulnerability means that the malicious payload is stored server-side and executed whenever the affected administrative interface is accessed, rather than requiring the victim to click on a malicious link or perform specific actions. This characteristic significantly increases the attack surface and impact potential compared to reflected XSS variants. The vulnerability exploits the application's failure to implement proper input validation and output encoding mechanisms for user-controllable parameters within administrative interfaces.
From an operational perspective, this vulnerability presents a severe risk to system security as it allows attackers to execute arbitrary code within the context of administrator sessions. The attack requires minimal user interaction beyond accessing the specific administrative screen, making it particularly dangerous in environments where administrators frequently manage system settings. An attacker could potentially steal session cookies, perform actions on behalf of administrators, redirect users to malicious sites, or extract sensitive configuration data from the system. The vulnerability's impact extends beyond simple data theft as it can enable full administrative compromise, potentially leading to complete system takeover or data exfiltration operations.
Mitigation strategies should focus on implementing comprehensive input validation and output encoding mechanisms throughout the application's codebase, particularly within administrative interfaces where user input is processed. The recommended approach involves sanitizing all user-supplied data before storage and properly encoding output to prevent script execution in browser contexts. Organizations should immediately upgrade to patched versions of WUZHI CMS or implement temporary workarounds such as input filtering at the web application firewall level. Additionally, implementing Content Security Policy headers and regular security scanning of administrative interfaces can help reduce the risk of exploitation. The vulnerability demonstrates the critical importance of securing administrative interfaces and implementing defense-in-depth strategies that protect against persistent XSS threats, aligning with ATT&CK technique T1213 for data exploitation and T1059 for command and scripting interpreter usage patterns that attackers may employ through such vulnerabilities.