This vulnerability arises from the Zenar Content Management System’s ajax.php endpoint, which reflects unsanitized user input from the current_page parameter in the HTML response. Because the input is not encoded, unauthenticated attackers can inject arbitrary JavaScript that will run in the victim’s browser when the page is viewed. This allows attackers to steal session cookies, deface the site, or redirect users to malicious locations. The weakness is a classic client‑side injection flaw (CWE‑79).

Zenar CMS, all versions that still use ajax.php without input sanitization. The advisory does not list specific version identifiers, so any deployment of Zenar Content Management System is potentially vulnerable until a patch is applied.

The CVSS score of 5.1 indicates moderate severity. No EPSS score is available and the vulnerability is not in the CISA KEV catalog, suggesting it is not currently widely exploited. The attack vector is over HTTP POST to ajax.php, requiring no authentication. An attacker can simply craft a form submission with embedded script tags in the current_page field to achieve impact. However, because the payload is client‑side, the scope is limited to browsers that load the reflected content. The lack of high exploitation evidence reduces immediate risk but the potential for credential theft or session hijacking warrants attention.