Vvveb CMS Stored Cross-Site Scripting Vulnerability Allowing Privilege Escalation

A stored cross-site scripting vulnerability has been identified in Vvveb CMS versions prior to 1.0.8.3. The issue allows users with the Editor role to inject JavaScript payloads into post content, which are executed only when higher-privileged users (such as Administrators) edit the post. This vulnerability arises because the CMS does not properly sanitize HTML event-handler attributes before saving them, enabling passive session hijacking of administrators.

Impact

Exploitation of this vulnerability allows for session cookie theft and account takeover of an Administrator, Super Admin, or any user with the edit_post capability. It also enables the creation of backdoor admin accounts, installation of malicious plugins or theme modifications, and data exfiltration from the admin panel, including orders, customers, and settings.

Reproduction

To reproduce this vulnerability, log in as an Editor and create or edit a post. Insert a payload, such as an image tag with an event handler, into the content area. Save and publish the post, then log in as an Administrator in a separate session. Open the same post for editing in the admin panel. The injected script will execute in the Administrator's browser without any further interaction.

Remediation

Users are advised to update to Vvveb CMS version 1.0.8.3 or later. Additionally, implement server-side HTML sanitization, using tools like HTMLPurifier with a strict allowlist, to remove event-handler attributes and javascript URIs from post content before saving.