| Title | matthewdeaves Willow CMS v1.4.0 Stored Cross Site Scripting |
|---|
| Description | Stored (persistent) XSS in Willow CMS v1.4.0. Users with administrative privileges can submit a blog in the New Blog form. The input is stored and later rendered on the homepage without proper sanitization/escaping (title and body fields), causing script execution in the browsers of any visitor who loads the page.
PoC: https://www.youtube.com/watch?v=jhFCYpFu9qI |
|---|
| Source | ⚠️ https://github.com/matthewdeaves/willow/issues/131 |
|---|
| User | RiccK (UID 91602) |
|---|
| Submission | 10/14/2025 01:52 (8 months ago) |
|---|
| Moderation | 10/27/2025 13:13 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 330115 [Willow CMS up to 1.4.0 Add Post Page /admin/articles/add title/body cross site scripting] |
|---|
| Points | 18 |
|---|