Willow CMS Cross-Site Scripting Vulnerability in Add Post Page
Vulnerability
A stored cross-site scripting vulnerability has been identified in Willow CMS versions prior to 1.4.0. This issue arises in the Add Post Page component, specifically within the file '/admin/articles/add'. The vulnerability allows users with administrative privileges to inject malicious scripts into the 'title' and 'body' fields, which are then executed in the context of visitors' browsers when the homepage is loaded. The vulnerability can be exploited remotely, and a proof-of-concept exploit is available.
Impact
Exploitation of this vulnerability allows for remote script execution in the browsers of users visiting the affected page, potentially leading to session or cookie theft, UI manipulation, or unauthorized redirects.
Reproduction
To reproduce this vulnerability, an admin user can log into Willow CMS v1.4.0 and navigate to the 'Add Post' page. Once there, the user can enter a script into the 'title' or 'body' fields. After submitting the post, the injected script will be executed when the homepage is viewed by any visitor.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.