Description
Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the s_emotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in the s_emotion field, which executes when administrators view the smilies tab.
Published: 2026-05-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Advanced Guestbook 2.4.4 contains a persistent cross‑site scripting flaw in the smilies administration interface that allows authenticated administrators to inject JavaScript by manipulating the s_emotion parameter; a malicious script that is stored will execute whenever the smilies tab is viewed, which can lead to arbitrary code execution in the context of the administrator’s browser. The CVE description does not specify the exact downstream effects of this execution, but the ability to run JavaScript grants potential control over the admin interface, which could be used for data exfiltration or site tampering, an inference derived from the nature of the flaw.

Affected Systems

The vulnerability affects installations of Advanced Guestbook version 2.4.4 provided by AmpPS that expose the smilies administration page; only systems that allow authenticated administrators to edit smilies entries are at risk.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity; the exploit requires authenticated access to the admin interface, limiting public exploitability; EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog; exploitation would necessitate one administrator unknowingly submitting malicious content and another administrator viewing the smilies tab.

Generated by OpenCVE AI on May 10, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install any available patch that removes the smilies XSS flaw in Advanced Guestbook.
  • If a patch is not available, eliminate the smilies administration feature or restrict access so that no administrator can edit smilies entries.
  • Validate and encode input for the s_emotion parameter on both entry and display to ensure script code is never executed.
  • Deploy a Content Security Policy on the administration pages that blocks inline JavaScript execution.

Generated by OpenCVE AI on May 10, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by manipulating the s_emotion parameter. Attackers can submit POST requests to admin.php with JavaScript code in the s_emotion field, which executes when administrators view the smilies tab.
Title Advanced Guestbook 2.4.4 Persistent XSS via Smilies
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:52:11.604Z

Reserved: 2026-02-01T11:24:18.719Z

Link: CVE-2021-47950

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:31.587

Modified: 2026-05-10T13:16:31.587

Link: CVE-2021-47950

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:30:14Z

Weaknesses