DaiCuo SEO Optimization Settings Section Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in DaiCuo version 1.3.13. This issue allows authenticated users with access to the admin panel to inject malicious JavaScript into article content or other editable fields. The injected script is executed in the context of users who view the affected frontend pages, potentially leading to session hijacking, phishing, or other malicious activities. The vulnerability arises from inadequate input sanitization and output encoding.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of users viewing the affected pages.

Reproduction

To reproduce this vulnerability, log into the admin panel with the default credentials (username: admin, password: admin888). Navigate to the SEO Optimization settings section and inject a script payload, such as an image tag with an error event handler, into a field like the site title or description. After saving the changes, visit the homepage to see the executed script, confirming the XSS vulnerability.