CVE-2025-15452 – This is a cross-site scripting (XSS) vulnerabil... (How to Fix)

Q: What is the severity of CVE-2025-15452?

CVE-2025-15452 has a CVSS score of 2.4 (LOW). This is a cross-site scripting (XSS) vulnerability in xnx3 wangmarket CMS versions up to 4.9. Attackers can inject malicious scripts via the Description parameter in the backend variable search function, potentially compromising administrator sessions. The vulnerability affects systems running vulnerable versions of xnx3 wangmarket with internet-facing admin interfaces.

📋 TL;DR

This is a cross-site scripting (XSS) vulnerability in xnx3 wangmarket CMS versions up to 4.9. Attackers can inject malicious scripts via the Description parameter in the backend variable search function, potentially compromising administrator sessions. The vulnerability affects systems running vulnerable versions of xnx3 wangmarket with internet-facing admin interfaces.

💻 Affected Systems

Products:

xnx3 wangmarket

Versions: Up to and including version 4.9

Operating Systems: All platforms running the affected software

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to the admin interface at /admin/system/variableList.do

📦 What is this software?

Wangmarket by Wang.market

View all CVEs affecting Wangmarket →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal administrator session cookies, gain full administrative access to the CMS, deface websites, or install backdoors for persistent access.

🟠

Likely Case

Attackers hijack administrator sessions to modify website content, steal sensitive data, or redirect users to malicious sites.

🟢

If Mitigated

With proper input validation and output encoding, the attack fails to execute malicious scripts, preventing session hijacking.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires authentication to access the vulnerable admin endpoint. Public exploit details are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a version above 4.9 if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the Description parameter by removing or encoding HTML/JavaScript special characters.

Implement input sanitization in the variableList function to filter <, >, &, ", ', /, and script tags

Output Encoding

all

Apply proper output encoding when displaying user-supplied data in the admin interface to prevent script execution.

Use HTML entity encoding (e.g., convert < to &lt;, > to &gt;) for all user inputs displayed in the admin panel

🧯 If You Can't Patch

Restrict access to the admin interface using IP whitelisting or VPN to limit exposure to trusted networks only.
Implement a Web Application Firewall (WAF) with XSS protection rules to block malicious payloads targeting the vulnerable endpoint.

🔍 How to Verify

Check if Vulnerable:

Check if the system runs xnx3 wangmarket version 4.9 or earlier by reviewing the software version in admin panel or configuration files.

Check Version:

Check the software version in the admin dashboard or configuration files (e.g., version.txt or similar).

Verify Fix Applied:

Test the vulnerable endpoint with a benign XSS payload (e.g., <script>alert('test')</script>) and verify it is properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /admin/system/variableList.do with script tags or encoded payloads in the Description parameter
Multiple failed login attempts followed by successful admin access

Network Indicators:

HTTP requests containing malicious script patterns targeting the vulnerable endpoint

SIEM Query:

source="web_logs" AND uri="/admin/system/variableList.do" AND (body CONTAINS "<script>" OR body CONTAINS "javascript:" OR body CONTAINS "onerror=" OR body CONTAINS "onload=")

📊 Metadata

CVE ID: CVE-2025-15452

CVSS v3 Score: 2.4 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (7.2th percentile)

Published: January 5, 2026

Last Updated: January 13, 2026

🔗 References

https://vuldb.com/?ctiid.339485 Permissions Required,VDB Entry
https://vuldb.com/?id.339485 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.724840 Third Party Advisory,VDB Entry
https://www.yuque.com/cocount-eveo/lu0220/flbu025pfmwgudmg?singleDoc Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15452, you might also want to check these: