Platform
other
Component
wangmarket
Fixed in
4.0.1
4.1.1
4.2.1
4.3.1
4.4.1
4.5.1
4.6.1
4.7.1
4.8.1
4.9.1
A cross-site scripting (XSS) vulnerability has been discovered in xnx3 wangmarket versions 4.0 to 4.9. This flaw resides within the variableList function of the /admin/system/variableList.do file, specifically affecting the Description argument. Successful exploitation allows an attacker to inject malicious scripts, potentially compromising administrative sessions and sensitive data. A public exploit is available, highlighting the urgency of remediation.
The XSS vulnerability in xnx3 wangmarket allows an attacker to execute arbitrary JavaScript code within the context of a user's browser. This can lead to a variety of malicious actions, including session hijacking, defacement of the administrative interface, and theft of sensitive information such as user credentials or configuration data. Given the administrative context, a successful attack could grant the attacker significant control over the system. The availability of a public exploit significantly increases the likelihood of exploitation, making this a high-priority concern. The impact is amplified if the system handles sensitive data or is integrated with other critical systems.
This vulnerability is publicly known with a proof-of-concept exploit available. It has been added to the NVD database and is considered a low-severity vulnerability based on the CVSS score of 2.4. While the exploit is public, active exploitation campaigns have not been widely reported as of the publication date. The vendor's lack of response to early disclosure attempts raises concerns about the ongoing maintenance and security of the software.
Exploit Status
EPSS
0.04% (13% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-15452 is to upgrade to a patched version of xnx3 wangmarket. As no fixed version is specified, thoroughly test any upgrade in a non-production environment before deploying to production. If upgrading is not immediately feasible, consider implementing input validation and output encoding on the Description field within /admin/system/variableList.do. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide a temporary layer of protection. Regularly review access logs for suspicious activity, specifically targeting requests to /admin/system/variableList.do with unusual parameters.
Update wangmarket to a version later than 4.9. If updating is not possible, review and filter the inputs of the 'Description' field in the variableList.do function to prevent malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-15452 is a cross-site scripting (XSS) vulnerability affecting xnx3 wangmarket versions 4.0 through 4.9, allowing attackers to inject malicious scripts.
If you are running xnx3 wangmarket versions 4.0 to 4.9, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of xnx3 wangmarket. If upgrading is not immediately possible, implement input validation and output encoding.
While active exploitation campaigns have not been widely reported, a public exploit exists, increasing the risk of attack.
Due to the vendor's lack of response, a direct advisory may not be available. Monitor security news sources and vulnerability databases for updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.