WCMS 11 Cross-Site Scripting Vulnerability in Registration Component

A stored cross-site scripting vulnerability has been identified in WCMS version 11. The issue arises in the Registration component, specifically within the file '/index.php?anonymous/setregister'. The vulnerability is triggered by manipulating the 'Username' parameter, allowing attackers to inject malicious scripts. When an administrator accesses the member management interface, these scripts are executed, potentially leading to session hijacking or unauthorized modifications of the page.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected page, such as an administrator.

Reproduction

To reproduce this vulnerability, log into the WCMS 11 application as an administrator. Navigate to the registration process and submit a username that includes a malicious script. Once the username is saved, go to the user management module to trigger the execution of the injected script.