Description
wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog.
Published: 2026-05-04
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

wCMS v1.4 contains a stored Cross‑Site Scripting vulnerability that is triggered when a new blog entry is created. The flaw allows an attacker to embed arbitrary JavaScript into the blog content, which will execute in the browsers of anyone who views the entry. This can lead to compromise of the visitor’s session, theft of authentication cookies, or execution of further malicious actions on the client side.

Affected Systems

The vulnerability is specific to wCMS version 1.4. No other vendors or product versions are currently listed as affected.

Risk and Exploitability

The CVSS score is 6.1, indicating medium severity. No EPSS score is available, and the vulnerability is not listed in KEV. The ability to inject client‑side code gives an attacker the potential to deface content, phish users, or propagate malware. The attack vector requires that the malicious blog entry be created, which may be possible only if the user is authenticated and has permission to create blog posts. If an attacker can obtain such privileges, the impact becomes significant for all visitors of the site.

Generated by OpenCVE AI on May 4, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of wCMS that contains the XSS fix.
  • Sanitize and properly encode all user‑supplied blog content before rendering it to users.
  • Restrict blog creation to authenticated users and enforce the least privilege principle and, if possible, apply a content‑security‑policy header.

Generated by OpenCVE AI on May 4, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting Vulnerability in wCMS 1.4 During Blog Creation

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 04 May 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Wcms
Wcms wcms
Vendors & Products Wcms
Wcms wcms

Mon, 04 May 2026 17:45:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting Vulnerability in wCMS 1.4 During Blog Creation
Weaknesses CWE-79

Mon, 04 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description wCMS v.1.4 is vulnerable to Cross Site Scripting (XSS) when creating a new blog.
References

Subscriptions

Wcms Wcms
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T19:47:09.271Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38669

cve-icon Vulnrichment

Updated: 2026-05-04T19:47:05.704Z

cve-icon NVD

Status : Received

Published: 2026-05-04T17:16:23.333

Modified: 2026-05-04T20:16:18.580

Link: CVE-2026-38669

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T21:30:09Z

Weaknesses