CVE-2026-7012 Overview
A Cross-Site Scripting (XSS) vulnerability was detected in MaxSite CMS up to version 109.3. This affects an unknown part of the Redirect Plugin component. The manipulation of the arguments f_all/f_all404 results in stored cross-site scripting. The attack can be launched remotely, and the exploit is now public and may be used. The vulnerability stems from improper input sanitization where the htmlspecialchars() function was not applied to user-controlled input, allowing malicious scripts to be injected and stored.
Critical Impact
Although classified as "Self-XSS" by the vendor, the lack of proper output encoding via htmlspecialchars() violates secure coding standards and could allow attackers to inject malicious scripts that execute in the context of authenticated administrator sessions.
Affected Products
- MaxSite CMS versions up to 109.3
- MaxSite CMS Redirect Plugin (affected component)
Discovery Timeline
- April 26, 2026 - CVE-2026-7012 published to NVD
- April 29, 2026 - Last updated in NVD database
Technical Details for CVE-2026-7012
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Cross-Site Scripting). The root cause lies in the Redirect Plugin's failure to properly sanitize user input before rendering it in HTML output. When user-controlled data from the f_all and f_all404 parameters is processed, it is directly embedded into the page without proper encoding. This allows an attacker with administrative privileges to inject arbitrary JavaScript code that will be executed when the affected page is rendered.
The vendor has acknowledged this as a violation of secure coding standards, noting that "the lack of filtering via htmlspecialchars() has already been fixed in the latest patch to prevent incorrect data display."
Root Cause
The vulnerability exists because user-supplied input was not properly sanitized using PHP's htmlspecialchars() function before being rendered in HTML context. This allowed special characters like <, >, and " to be interpreted as HTML/JavaScript rather than displayed as text. The fix involves wrapping user input with htmlspecialchars() to encode these special characters.
Attack Vector
The attack requires network access and targets the Redirect Plugin's administrative interface. An attacker with high privileges (administrator access) could manipulate the f_all or f_all404 parameters to inject malicious JavaScript. Since this is classified as a "Self-XSS" by the vendor, user interaction is required for exploitation. The stored nature of this XSS means the malicious payload persists and executes whenever the affected page is viewed.
// Security patch example from MaxSite CMS 109.4
// Before (vulnerable):
$form .= '<p><strong>' . t('Файл для логов:') . '</strong> ' . getinfo('uploads_dir') . ' <input name="f_logging_file" type="text" value="' . $options['logging_file'] . '">';
// After (fixed):
$form .= '<p><strong>' . t('Файл для логов:') . '</strong> ' . getinfo('uploads_dir') . ' <input name="f_logging_file" type="text" value="' . htmlspecialchars($options['logging_file']) . '">';
Source: GitHub Commit
Detection Methods for CVE-2026-7012
Indicators of Compromise
- Unusual JavaScript code or HTML tags present in Redirect Plugin configuration fields (f_all, f_all404)
- Unexpected script execution or browser behavior when accessing Redirect Plugin administrative pages
- Modified configuration values containing encoded or obfuscated script payloads
Detection Strategies
- Review Redirect Plugin configuration data for suspicious content such as <script> tags, event handlers (onerror, onload), or encoded JavaScript
- Monitor web application logs for unusual POST requests to the Redirect Plugin administrative endpoints
- Implement Content Security Policy (CSP) headers to detect and report inline script execution attempts
Monitoring Recommendations
- Enable comprehensive logging for administrative actions within MaxSite CMS
- Deploy web application firewall (WAF) rules to detect XSS payload patterns in request parameters
- Regularly audit plugin configurations for unexpected or malicious content
How to Mitigate CVE-2026-7012
Immediate Actions Required
- Upgrade MaxSite CMS to version 109.4 or later, which contains the security fix
- Review existing Redirect Plugin configuration for any potentially malicious content
- Restrict administrative access to trusted users only
- Implement Content Security Policy headers to mitigate XSS impact
Patch Information
The vulnerability has been addressed in MaxSite CMS version 109.4. The fix is identified by commit hash 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7. The patch adds proper output encoding using htmlspecialchars() to prevent user input from being interpreted as HTML/JavaScript. Detailed patch information is available in the GitHub commit and release notes.
Workarounds
- Restrict access to the Redirect Plugin administrative interface to only essential personnel
- Implement strict Content Security Policy (CSP) headers to block inline script execution
- Manually apply input sanitization if upgrading is not immediately possible by ensuring all user input is passed through htmlspecialchars() before output
# Configuration example: Add CSP header in .htaccess
# This helps mitigate XSS attacks by restricting script execution
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
