Platform
other
Component
wangmarket
Fixed in
4.0.1
4.1.1
4.2.1
4.3.1
4.4.1
4.5.1
4.6.1
4.7.1
4.8.1
4.9.1
CVE-2025-15451 describes a cross-site scripting (XSS) vulnerability affecting wangmarket versions 4.0 to 4.9. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. A public proof-of-concept is available, indicating the vulnerability's ease of exploitation. The vendor has not yet released a patch.
Successful exploitation of CVE-2025-15451 allows an attacker to execute arbitrary JavaScript code within the context of a user's browser session. This can lead to various malicious actions, including session hijacking, credential theft, and defacement of the application's interface. The vulnerability resides in the /admin/system/variableSave.do endpoint, suggesting that administrative users are particularly at risk. Given the public availability of a proof-of-concept, the potential for widespread exploitation is significant.
CVE-2025-15451 has been publicly disclosed and a proof-of-concept is available, indicating a high probability of exploitation. It is not currently listed on CISA KEV. The vulnerability's ease of exploitation, combined with the lack of vendor response, increases the risk of active campaigns targeting vulnerable installations of wangmarket.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
Due to the lack of a vendor-provided patch, immediate mitigation strategies are crucial. Implement strict input validation on the Description parameter within the /admin/system/variableSave.do endpoint. Employ a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting this specific endpoint. Consider restricting access to the administrative interface to trusted users only. Regularly monitor application logs for suspicious activity. After implementing these mitigations, verify their effectiveness by attempting to inject a simple XSS payload through the vulnerable parameter.
Update wangmarket to a version later than 4.9. If no updates are available, it is recommended to disable or remove the vulnerable functionality (System Variables Page) or apply a patch provided by the vendor, if one exists. As the vendor did not respond, it is recommended to seek alternative solutions in community forums or consider migrating to a more secure platform.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15451 is a cross-site scripting (XSS) vulnerability in wangmarket versions 4.0 through 4.9, allowing attackers to inject malicious scripts.
You are affected if you are running wangmarket versions 4.0 to 4.9 and have not implemented mitigating controls.
A vendor patch is not currently available. Mitigate by implementing input validation, WAF rules, and restricting access to the administrative interface.
A public proof-of-concept exists, suggesting a high probability of active exploitation.
The vendor has not yet released an advisory for this vulnerability. Monitor the wangmarket website and security mailing lists for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.