MidnightBSD

Advisories for wuzhicms

CVE-2018-10221 LOW

An issue was discovered in WUZHI CMS V4.1.0. There is a persistent XSS vulnerability that can steal the administrator cookies via the tag[tag] parameter to the index.php?m=tags&f=index&v=add&&_su=wuzhicms URI. After a website editor (whose privilege is lower than the administrator) logs in, he can add a new TAGS with the XSS payload.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2018-10248 MEDIUM

An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can delete any article via index.php?m=content&f=content&v=recycle_delete.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-10311 MEDIUM

A vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the tag[pinyin] parameter to the /index.php?m=tags&f=index&v=add URI.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-10312 MEDIUM

index.php?m=member&v=pw_reset in WUZHI CMS 4.1.0 allows CSRF to change the password of a common member.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-10313 LOW

WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D parameter to the /index.php?m=member&f=index&v=profile&set_iframe=1 URI.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-10367 LOW

An issue was discovered in WUZHI CMS 4.1.0. The content-management feature has Stored XSS via the title or content section.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-10368 LOW

An issue was discovered in WUZHI CMS 4.1.0. The "Extension Module -> System Announcement" feature has Stored XSS via an announcement.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-10391 LOW

An issue was discovered in WUZHI CMS 4.1.0. There is XSS via the email parameter to the index.php?m=member&v=register URI.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-11493 MEDIUM

An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a friendship link via index.php?m=link&f=index&v=add.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-11528 HIGH

WUZHI CMS 4.1.0 has SQL Injection via an api/sms_check.php?param= URI.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-11549 LOW

An issue was discovered in WUZHI CMS 4.1.0 There is a Stored XSS Vulnerability in "Account Settings -> Member Centre -> Chinese information -> Ordinary member" via a QQ number, as demonstrated by a form[qq_10]= substring.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-11722 HIGH

WUZHI CMS 4.1.0 has a SQL Injection in api/uc.php via the 'code' parameter, because 'UC_KEY' is hard coded.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2018-14472 MEDIUM

An issue was discovered in WUZHI CMS 4.1.0. The vulnerable file is coreframe/app/order/admin/goods.php. The $keywords parameter is taken directly into execution without any filtering, leading to SQL injection.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2018-14512 MEDIUM

An XSS vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[nickname] parameter to the index.php?m=core&f=set&v=sendmail URI. When the administrator accesses the "system settings - mail server" screen, the XSS payload is triggered.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-17425 LOW

WUZHI CMS 4.1.0 has stored XSS via the "Membership Center" "I want to ask" "detailed description" field under the index.php?m=member URI.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-17426 LOW

WUZHI CMS 4.1.0 has stored XSS via the "Extension module" "SMS in station" field under the index.php?m=core URI.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-17832 MEDIUM

XSS exists in WUZHI CMS 2.0 via the index.php v or f parameter.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhi_cms 2.0
CVE-2018-18711 MEDIUM

An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can change the super administrator's password via index.php?m=core&f=panel&v=edit_info.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-18712 MEDIUM

An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can change the super administrator's username via index.php?m=member&f=index&v=edit&uid=1.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-18938 LOW

An issue was discovered in WUZHI CMS 4.1.0. There is stored XSS in index.php?m=core&f=index via an ontoggle attribute to details/open/ within a second input field.

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2018-20572 HIGH

WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL injection via the index.php?m=promote&f=index&v=search keywords parameter, a related issue to CVE-2018-15893.

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2018-9926 MEDIUM

An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2018-9927 MEDIUM

An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-352,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2019-9107 MEDIUM

XSS exists in WUZHI CMS 4.1.0 via index.php?m=attachment&f=imagecut&v=init&imgurl=[XSS] to coreframe/app/attachment/imagecut.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2019-9108 MEDIUM

XSS exists in WUZHI CMS 4.1.0 via index.php?m=core&f=map&v=baidumap&x=[XSS]&y=[XSS] to coreframe/app/core/map.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2019-9109 MEDIUM

XSS exists in WUZHI CMS 4.1.0 via index.php?m=message&f=message&v=add&username=[XSS] to coreframe/app/message/message.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2019-9110 MEDIUM

XSS exists in WUZHI CMS 4.1.0 via index.php?m=content&f=postinfo&v=listing&set_iframe=[XSS] to coreframe/app/content/postinfo.php.

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2020-18654 MEDIUM

Cross Site Scripting (XSS) in Wuzhi CMS v4.1.0 allows remote attackers to execute arbitrary code via the "Title" parameter in the component "/coreframe/app/guestbook/myissue.php".

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2020-18877 MEDIUM

SQL Injection in Wuzhi CMS v4.1.0 allows remote attackers to obtain sensitive information via the 'flag' parameter in the component '/coreframe/app/order/admin/index.php'.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-89,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2020-19551 MEDIUM

Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-863,

Products Affected

Vendor Product Version
wuzhicms wuzhicms *
CVE-2020-19553 LOW

Cross Site Scripting (XSS) vlnerability exists in WUZHI CMS up to and including 4.1.0 in the config function in coreframe/app/attachment/libs/class/ckditor.class.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms *
CVE-2020-19770 LOW

A cross-site scripting (XSS) vulnerability in the system bulletin component of WUZHI CMS v4.1.0 allows attackers to steal the admin's cookie.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

CVSS 2.0

Severity: LOW

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2020-19897 MEDIUM

A reflected Cross Site Scripting (XSS) in wuzhicms v4.1.0 allows remote attackers to execute arbitrary web script or HTML via the imgurl parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2020-19915 MEDIUM

Cross Site Scripting (XSS vulnerability exists in WUZHI CMS 4.1.0 via the mailbox username in index.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-79,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2020-20122 HIGH

Wuzhi CMS v4.1 contains a SQL injection vulnerability in the checktitle() function in /coreframe/app/content/admin/content.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2020-20124 MEDIUM

Wuzhi CMS v4.1.0 contains a remote code execution (RCE) vulnerability in \attachment\admin\index.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2020-20413

SQL injection vulnerability found in WUZHICMS v.4.1.0 allows a remote attacker to execute arbitrary code via the checktitle() function in admin/content.php.

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2020-21325

An issue in WUZHI CMS v.4.1.0 allows a remote attacker to execute arbitrary code via the set_chache method of the function\common.func.php file.

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2020-21590 MEDIUM

Directory traversal in coreframe/app/template/admin/index.php in WUZHI CMS 4.1.0 allows attackers to list files in arbitrary directories via the dir parameter.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-22,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2020-24930 MEDIUM

Beijing Wuzhi Internet Technology Co., Ltd. Wuzhi CMS 4.0.1 is an open source content management system. The five fingers CMS backend in***.php file has arbitrary file deletion vulnerability. Attackers can use vulnerabilities to delete arbitrary files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.1 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H 2.8 5.2

CVSS 2.0

Severity: MEDIUM

Problem Type: NVD-CWE-noinfo,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2020-28145 MEDIUM

Arbitrary file deletion vulnerability was discovered in wuzhicms v 4.0.1 via coreframe\app\attachment\admin\index.php, which allows attackers to access sensitive information.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-668,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.0.1
CVE-2020-36037

An issue was disocvered in wuzhicms version 4.1.0, allows remote attackers to execte arbitrary code via the setting parameter to the ueditor in index.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2021-40669 HIGH

SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords parameter under the coreframe/app/promote/admin/index.php file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2021-40670 HIGH

SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2021-40674 HIGH

An SQL injection vulnerability exists in Wuzhi CMS v4.1.0 via the KeyValue parameter in coreframe/app/order/admin/index.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2021-41654 HIGH

SQL injection vulnerabilities exist in Wuzhicms v4.1.0 which allows attackers to execute arbitrary SQL commands via the $keyValue parameter in /coreframe/app/pay/admin/index.php

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2022-27431 HIGH

Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the groupid parameter at /coreframe/app/member/admin/group.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

CVSS 2.0

Severity: HIGH

Problem Type: CWE-89,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2022-36168

A directory traversal vulnerability was discovered in Wuzhicms 4.1.0. via /coreframe/app/attachment/admin/index.php:

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 2.7 LOW CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N 1.2 1.4

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2023-30123

wuzhicms v4.1.0 is vulnerable to Cross Site Scripting (XSS) in the Member Center, Account Settings.

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2023-31860

Wuzhi CMS v3.1.2 has a storage type XSS vulnerability in the backend of the Five Finger CMS b2b system.

Products Affected

Vendor Product Version
wuzhicms wuzhi_cms 3.1.2
wuzhicms wuzhicms 3.1.2
CVE-2023-46482

SQL injection vulnerability in wuzhicms v.4.1.0 allows a remote attacker to execute arbitrary code via the Database Backup Functionality in the coreframe/app/database/admin/index.php component.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2023-52064

Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the $keywords parameter at /core/admin/copyfrom.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
wuzhicms wuzhi_cms 4.1.0
CVE-2024-10505 MEDIUM

A vulnerability was found in wuzhicms 4.1.0. It has been classified as critical. Affected is the function add/edit of the file www/coreframe/app/content/admin/block.php. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Initially two separate issues were created by the researcher for the different function calls. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 6.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L 2.8 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-94,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2024-31008

An issue was discovered in WUZHICMS version 4.1.0, allows an attacker to execute arbitrary code and obtain sensitive information via the index.php file.

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2024-32206

A stored cross-site scripting (XSS) vulnerability in the component \affiche\admin\index.php of WUZHICMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $formdata parameter.

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2025-0480 MEDIUM

A vulnerability classified as problematic has been found in wuzhicms 4.1.0. This affects the function test of the file coreframe/app/search/admin/config.php. The manipulation of the argument sphinxhost/sphinxport leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
cna@vuldb.com 4.3 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N 2.8 1.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-918,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2025-25916

wuzhicms v4.1.0 has a Cross Site Scripting (XSS) vulnerability in del function in \coreframe\app\member\admin\group.php.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0
CVE-2025-3563 MEDIUM

A vulnerability was found in WuzhiCMS 4.1. It has been rated as critical. Affected by this issue is the function Set of the file /index.php?m=attachment&f=index&_su=wuzhicms&v=set&submit=1 of the component Setting Handler. The manipulation of the argument Setting leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
nvd@nist.gov 7.2 HIGH CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H 1.2 5.9
cna@vuldb.com 4.7 MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L 1.2 3.4

CVSS 2.0

Severity: MEDIUM

Problem Type: CWE-74,CWE-94,CWE-94,

Products Affected

Vendor Product Version
wuzhicms wuzhicms 4.1.0