cbcvebase.

Wuzhicms vulnerabilities

57 known vulnerabilities affecting wuzhicms/wuzhicms.

Total CVEs
57
CISA KEV
0
Public exploits
5
Exploited in wild
0
Severity breakdown
CRITICAL12HIGH16MEDIUM28LOW1

Vulnerabilities

Page 1 of 3
CVE-2018-10312P3HIGHCVSS 8.8PoCv4.1.02018-04-24
CVE-2018-10312 [HIGH] CWE-352 CVE-2018-10312: index.php?m=member&v=pw_reset in WUZHI CMS 4.1.0 allows CSRF to change the password of a common memb index.php?m=member&v=pw_reset in WUZHI CMS 4.1.0 allows CSRF to change the password of a common member.
nvd
CVE-2018-9926P3HIGHCVSS 8.8PoCv4.1.02018-04-10
CVE-2018-9926 [HIGH] CWE-352 CVE-2018-9926: An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin acco An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add an admin account via index.php?m=core&f=power&v=add.
nvd
CVE-2018-9927P3HIGHCVSS 8.8PoCv4.1.02018-04-10
CVE-2018-9927 [HIGH] CWE-352 CVE-2018-9927: An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user accoun An issue was discovered in WUZHI CMS 4.1.0. There is a CSRF vulnerability that can add a user account via index.php?m=member&f=index&v=add.
nvd
CVE-2020-20124P3HIGHCVSS 8.8v4.1.02021-09-28
CVE-2020-20124 [HIGH] CWE-94 CVE-2020-20124: Wuzhi CMS v4.1.0 contains a remote code execution (RCE) vulnerability in \attachment\admin\index.php Wuzhi CMS v4.1.0 contains a remote code execution (RCE) vulnerability in \attachment\admin\index.php.
nvd
CVE-2020-19551P3HIGHCVSS 8.8≤ 4.1.02021-09-21
CVE-2020-19551 [HIGH] CWE-863 CVE-2020-19551: Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong.
nvd
CVE-2018-10311P4MEDIUMCVSS 6.1PoCv4.1.02018-04-24
CVE-2018-10311 [MEDIUM] CWE-79 CVE-2018-10311: A vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attack A vulnerability was discovered in WUZHI CMS 4.1.0. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the tag[pinyin] parameter to the /index.php?m=tags&f=index&v=add URI.
nvd
CVE-2018-11722P3CRITICALCVSS 9.8v4.1.02018-06-05
CVE-2018-11722 [CRITICAL] CWE-89 CVE-2018-11722: WUZHI CMS 4.1.0 has a SQL Injection in api/uc.php via the 'code' parameter, because 'UC_KEY' is hard WUZHI CMS 4.1.0 has a SQL Injection in api/uc.php via the 'code' parameter, because 'UC_KEY' is hard coded.
nvd
CVE-2020-36037P3HIGHCVSS 8.8v4.1.02023-08-11
CVE-2020-36037 [HIGH] CVE-2020-36037: An issue was disocvered in wuzhicms version 4.1.0, allows remote attackers to execte arbitrary code An issue was disocvered in wuzhicms version 4.1.0, allows remote attackers to execte arbitrary code via the setting parameter to the ueditor in index.php.
nvd
CVE-2018-11528P3CRITICALCVSS 9.8v4.1.02018-05-29
CVE-2018-11528 [CRITICAL] CWE-89 CVE-2018-11528: WUZHI CMS 4.1.0 has SQL Injection via an api/sms_check.php?param= URI. WUZHI CMS 4.1.0 has SQL Injection via an api/sms_check.php?param= URI.
nvd
CVE-2018-10313P4MEDIUMCVSS 5.4PoCv4.1.02018-04-24
CVE-2018-10313 [MEDIUM] CWE-79 CVE-2018-10313: WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D parameter to the /index.php?m=member&f WUZHI CMS 4.1.0 allows persistent XSS via the form%5Bqq_10%5D parameter to the /index.php?m=member&f=index&v=profile&set_iframe=1 URI.
nvd
CVE-2020-21325P3HIGHCVSS 8.8v4.1.02023-06-20
CVE-2020-21325 [HIGH] CWE-434 CVE-2020-21325: An issue in WUZHI CMS v.4.1.0 allows a remote attacker to execute arbitrary code via the set_chache An issue in WUZHI CMS v.4.1.0 allows a remote attacker to execute arbitrary code via the set_chache method of the function\common.func.php file.
nvd
CVE-2020-20413P3CRITICALCVSS 9.8v4.1.02023-06-20
CVE-2020-20413 [CRITICAL] CWE-89 CVE-2020-20413: SQL injection vulnerability found in WUZHICMS v.4.1.0 allows a remote attacker to execute arbitrary SQL injection vulnerability found in WUZHICMS v.4.1.0 allows a remote attacker to execute arbitrary code via the checktitle() function in admin/content.php.
nvd
CVE-2023-52064P3CRITICALCVSS 9.8v4.1.02024-01-10
CVE-2023-52064 [CRITICAL] CWE-89 CVE-2023-52064: Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the $keywords parameter Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the $keywords parameter at /core/admin/copyfrom.php.
nvd
CVE-2025-3563P3HIGHCVSS 7.2v4.1.0v4.12025-04-14
CVE-2025-3563 [HIGH] CWE-74 CVE-2025-3563: A vulnerability was found in WuzhiCMS 4.1. It has been rated as critical. Affected by this issue is A vulnerability was found in WuzhiCMS 4.1. It has been rated as critical. Affected by this issue is the function Set of the file /index.php?m=attachment&f=index&_su=wuzhicms&v=set&submit=1 of the component Setting Handler. The manipulation of the argument Setting leads to code injection. The attack may be launched remotely. The exploit has been disclosed
nvd
CVE-2023-46482P3CRITICALCVSS 9.8v4.1.02023-11-01
CVE-2023-46482 [CRITICAL] CWE-89 CVE-2023-46482: SQL injection vulnerability in wuzhicms v.4.1.0 allows a remote attacker to execute arbitrary code v SQL injection vulnerability in wuzhicms v.4.1.0 allows a remote attacker to execute arbitrary code via the Database Backup Functionality in the coreframe/app/database/admin/index.php component.
nvd
CVE-2021-41654P3CRITICALCVSS 9.8v4.1.02022-06-16
CVE-2021-41654 [CRITICAL] CWE-89 CVE-2021-41654: SQL injection vulnerabilities exist in Wuzhicms v4.1.0 which allows attackers to execute arbitrary S SQL injection vulnerabilities exist in Wuzhicms v4.1.0 which allows attackers to execute arbitrary SQL commands via the $keyValue parameter in /coreframe/app/pay/admin/index.php
nvd
CVE-2024-10505P3HIGHCVSS 7.2v4.1.02024-10-30
CVE-2024-10505 [HIGH] CWE-94 CVE-2024-10505: A vulnerability was found in wuzhicms 4.1.0. It has been classified as critical. Affected is the fun A vulnerability was found in wuzhicms 4.1.0. It has been classified as critical. Affected is the function add/edit of the file www/coreframe/app/content/admin/block.php. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Initially two separate issues were
nvd
CVE-2018-20572P3CRITICALCVSS 9.8v4.1.02018-12-28
CVE-2018-20572 [CRITICAL] CVE-2018-20572: WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL injection via the index.php?m=pro WUZHI CMS 4.1.0 allows coreframe/app/coupon/admin/copyfrom.php SQL injection via the index.php?m=promote&f=index&v=search keywords parameter, a related issue to CVE-2018-15893.
nvd
CVE-2021-40670P3CRITICALCVSS 9.8v4.1.02021-09-16
CVE-2021-40670 [CRITICAL] CWE-89 CVE-2021-40670: SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /corefra SQL Injection vulnerability exists in Wuzhi CMS 4.1.0 via the keywords iparameter under the /coreframe/app/order/admin/card.php file.
nvd
CVE-2022-27431P3CRITICALCVSS 9.8v4.1.02022-05-04
CVE-2022-27431 [CRITICAL] CWE-89 CVE-2022-27431: Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the groupid parameter at Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the groupid parameter at /coreframe/app/member/admin/group.php.
nvd
Wuzhicms vulnerabilities | cvebase