MaxSite CMS Cross-Site Scripting Vulnerability in Guestbook Plugin

A cross-site scripting (XSS) vulnerability has been identified in MaxSite CMS versions prior to 109.4, specifically within the Guestbook Plugin. The issue arises from improper sanitization of user input in the parameters f_text, f_slug, f_limit, and f_email. This vulnerability allows remote attackers to inject malicious scripts, which are then stored and can affect multiple users. Exploitation of this flaw could lead to account compromise, data manipulation, or unauthorized access to the administrative panel.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user.

Reproduction

To reproduce this vulnerability, upload a script containing a payload into one of the vulnerable fields (f_text, f_slug, f_limit, or f_email) in the Guestbook Plugin. Once the input is submitted, the injected script will be executed when the data is viewed, demonstrating the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to MaxSite CMS version 109.4, which addresses this vulnerability. The update can be downloaded from the MaxSite CMS GitHub repository.