LOWCVE-2025-15416CVSS 2.4

CVE-2025-15416: XSS in wangmarket 6.0-6.4

Platform

php

Fixed in

6.0.1

6.1.1

6.2.1

6.3.1

6.4.1

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026

View on NVD

Save

CVE-2025-15416 describes a cross-site scripting (XSS) vulnerability discovered in wangmarket versions 6.0 through 6.4. This flaw resides within the /siteVar/save.do endpoint, allowing attackers to inject malicious scripts through manipulation of the Remark/Variable Value argument. The vulnerability is rated as LOW severity and a public exploit is available, highlighting the potential for immediate exploitation.

Impact and Attack Scenarios

Successful exploitation of CVE-2025-15416 allows an attacker to inject arbitrary JavaScript code into the web application. This can lead to various malicious outcomes, including session hijacking, defacement of the website, and redirection of users to phishing sites. The attacker could potentially steal sensitive user data, such as login credentials or personal information. Given the public availability of an exploit, the risk of exploitation is elevated, particularly for systems with unpatched instances of wangmarket.

Exploitation Context

This vulnerability has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The CVE was published on 2026-01-01. The vendor, wangmarket, has not responded to early disclosure attempts, which may delay the release of a patch. The CVSS score is 2.4 (LOW), reflecting the potential for exploitation but also the limited impact of a successful attack.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

NextGuard10–15% still vulnerable

EPSS

0.03% (10% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impact

Affected Software

Vendorxnx3

Affected rangeFixed in

6.0 – 6.06.0.1

6.1 – 6.16.1.1

6.2 – 6.26.2.1

6.3 – 6.36.3.1

6.4 – 6.46.4.1

Weakness Classification (CWE)

CWE-79 CWE-94

Timeline

Reserved2026-01-01
Published2026-01-01
Modified2026-02-23
EPSS updated2026-03-23

Unpatched — 143 days since disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-15416 is to upgrade to a patched version of wangmarket. Since a fixed version is not specified, immediate action is crucial. As a temporary workaround, implement strict input validation on the Remark/Variable Value parameter within the /siteVar/save.do endpoint. This should include sanitizing user input to prevent the injection of malicious scripts. Additionally, configure a Web Application Firewall (WAF) to detect and block XSS attempts targeting this endpoint. Regularly review access logs for suspicious activity.

How to fix

Update wangmarket to a version later than 6.4. If updating is not possible, review and filter the inputs of the Remark and Variable Value fields to prevent the injection of malicious code.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-15416 — XSS in wangmarket?

CVE-2025-15416 is a cross-site scripting (XSS) vulnerability affecting wangmarket versions 6.0 through 6.4, allowing attackers to inject malicious scripts via the /siteVar/save.do endpoint.

Am I affected by CVE-2025-15416 in wangmarket?

You are affected if you are running wangmarket versions 6.0, 6.1, 6.2, 6.3, or 6.4 and have not applied a patch or implemented mitigating controls.

How do I fix CVE-2025-15416 in wangmarket?

Upgrade to a patched version of wangmarket as soon as it becomes available. Until then, implement input validation and WAF rules to protect the /siteVar/save.do endpoint.

Is CVE-2025-15416 being actively exploited?

Yes, a public exploit exists, indicating a high probability of active exploitation. Prompt action is recommended.

Where can I find the official wangmarket advisory for CVE-2025-15416?

Due to lack of vendor response, an official advisory may not be available. Monitor security news sources and community forums for updates.