6.4.1
CVE-2025-15416 describes a cross-site scripting (XSS) vulnerability discovered in wangmarket versions 6.0 through 6.4. This flaw resides within the /siteVar/save.do endpoint, allowing attackers to inject malicious scripts through manipulation of the Remark/Variable Value argument. The vulnerability is rated as LOW severity and a public exploit is available, highlighting the potential for immediate exploitation.
Successful exploitation of CVE-2025-15416 allows an attacker to inject arbitrary JavaScript code into the web application. This can lead to various malicious outcomes, including session hijacking, defacement of the website, and redirection of users to phishing sites. The attacker could potentially steal sensitive user data, such as login credentials or personal information. Given the public availability of an exploit, the risk of exploitation is elevated, particularly for systems with unpatched instances of wangmarket.
This vulnerability has been publicly disclosed and a proof-of-concept exploit is available, indicating a high probability of exploitation. The CVE was published on 2026-01-01. The vendor, wangmarket, has not responded to early disclosure attempts, which may delay the release of a patch. The CVSS score is 2.4 (LOW), reflecting the potential for exploitation but also the limited impact of a successful attack.
Organizations utilizing wangmarket versions 6.0 through 6.4 are at risk, particularly those with publicly accessible instances of the application. Shared hosting environments where multiple users share the same server instance are also at increased risk, as a compromise of one user's account could potentially lead to the exploitation of this vulnerability across multiple websites.
• php / web:
grep -r 'Remark/Variable Value' /var/www/wangmarket/siteVar/save.do• generic web:
curl -I http://your-wangmarket-site.com/siteVar/save.do?Remark/Variable%20Value=<script>alert(1)</script>• generic web: Examine access logs for requests to /siteVar/save.do containing suspicious characters or script tags in the Remark/Variable Value parameter.
• generic web: Check response headers for signs of XSS, such as Content-Security-Policy directives that are not properly configured.
disclosure
漏洞利用状态
EPSS
0.03% (10% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-15416 is to upgrade to a patched version of wangmarket. Since a fixed version is not specified, immediate action is crucial. As a temporary workaround, implement strict input validation on the Remark/Variable Value parameter within the /siteVar/save.do endpoint. This should include sanitizing user input to prevent the injection of malicious scripts. Additionally, configure a Web Application Firewall (WAF) to detect and block XSS attempts targeting this endpoint. Regularly review access logs for suspicious activity.
将 wangmarket 更新到 6.4 以上的版本。如果无法更新,请审查并过滤 Remark 和 Variable Value 字段的输入,以防止恶意代码注入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-15416 is a cross-site scripting (XSS) vulnerability affecting wangmarket versions 6.0 through 6.4, allowing attackers to inject malicious scripts via the /siteVar/save.do endpoint.
You are affected if you are running wangmarket versions 6.0, 6.1, 6.2, 6.3, or 6.4 and have not applied a patch or implemented mitigating controls.
Upgrade to a patched version of wangmarket as soon as it becomes available. Until then, implement input validation and WAF rules to protect the /siteVar/save.do endpoint.
Yes, a public exploit exists, indicating a high probability of active exploitation. Prompt action is recommended.
Due to lack of vendor response, an official advisory may not be available. Monitor security news sources and community forums for updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。