CVE-2018-10221

Name of the Vulnerable Software and Affected Versions: WUZHI CMS version 4.1.0

Description: A persistent XSS issue allows stealing administrator cookies via the tag parameter in the "index.php?m=tags&f=index&v=add&& su=wuzhicms" API endpoint. This can be exploited by a website editor with lower privileges than the administrator, who can add new tags with an XSS payload after logging in.

Recommendations: For WUZHI CMS version 4.1.0, as a temporary workaround, consider restricting access to the "index.php?m=tags&f=index&v=add&& su=wuzhicms" API endpoint to prevent adding new tags with malicious payloads. Avoid using the tag parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.