Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog.
AnalysisAI
Stored cross-site scripting (XSS) in wCMS v.1.4 allows remote attackers to inject malicious scripts when creating new blog entries, which are executed in the browsers of other users who view the affected blog. The vulnerability requires user interaction (victim visiting the compromised blog) and affects site confidentiality and integrity. No public exploit code or active exploitation has been confirmed at the time of analysis.
Technical ContextAI
The vulnerability is a stored XSS flaw (CWE-79) in the blog creation functionality of wCMS v.1.4. The application fails to properly sanitize or encode user-supplied input when processing new blog post creation, allowing an attacker to embed arbitrary JavaScript code that persists in the application's database and executes when other users access the affected blog content. This is distinct from reflected XSS because the malicious payload is permanently stored rather than transmitted via request parameters.
RemediationAI
Upgrade to a patched version of wCMS newer than v.1.4 if available from the vendor. Immediate compensating controls include implementing Content Security Policy (CSP) headers to restrict inline script execution and disallow unsafe-inline, which will prevent stored XSS payloads from executing even if present in the DOM-note this requires adjusting any legitimate inline scripts the application relies on. Additionally, apply strict input validation and HTML entity encoding on all blog post submission fields server-side before storage, and implement output encoding when rendering blog content to users. If patched versions are unavailable, consider deploying a Web Application Firewall (WAF) with XSS detection rules to block requests containing script tags or event handlers in blog creation parameters. Consult the vendor or GitHub reference (https://github.com/thv930/yumeng_wu/tree/main/1/readme.md) for the latest security guidance.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27001