[SELF-XSS] Cross site scripting vulnerabilty found in add page

[riteshgupta1993]

• Wonder cms: v-2.5.2
• PHP Version: 5.6.35
• Apache Version: 2.4.33
• Operating system: microsoft windows v10

Vulnerabilty name: cross site scripting.

Steps to reproduce:

1: go in settings->general->addpage.
2: In the content of page execute malicious javascript "><script>alert(1)</script> and save the page.
3: XSS payload will be reflected to the browser.

POC:
Type payload ">script>alert(1)</script>

Regards
RItesh Kumar

[robiso]

Hi @riteshgupta1993.

This is considered SELF-XSS. In short, this is a feature which enables admins to post JavaScript anywhere, not just in the add page field.

A visitor can not execute JavaScript anywhere and the fields are sanitised from the visitor layer.

Please check #57 for more info, this has been reported a few times, you can also check the closed tickets.

Feel free to comment to keep the discussion going.

Additional note: this bug has been reported to Mitre and also been disputed. The admin can also not be tricked to post XSS via a malicious web site, as the admin is also protected by a CSRF token.