CVE-2026-7015 Overview
A stored cross-site scripting (XSS) vulnerability has been discovered in MaxSite CMS up to version 109.3. This vulnerability affects the Guestbook Plugin component, where improper input validation of multiple form arguments (f_text, f_slug, f_limit, f_email) allows attackers to inject malicious scripts. The attack can be launched remotely, though it requires privileged access and user interaction to trigger.
Critical Impact
Attackers can inject persistent malicious scripts through the Guestbook Plugin, potentially leading to session hijacking, defacement, or credential theft when administrative users interact with the poisoned content.
Affected Products
- MaxSite CMS versions up to and including 109.3
- MaxSite CMS Guestbook Plugin
- MaxSite CMS Antispam Plugin (admin.php component)
Discovery Timeline
- 2026-04-26 - CVE-2026-7015 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2026-7015
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists in the Guestbook Plugin where user-supplied input through form fields is not properly sanitized before being rendered in web pages.
The vendor has classified this as a "Self-XSS" vulnerability, noting that while the immediate exploitability is limited due to the requirement of privileged access, it still represents a violation of secure coding standards. The lack of proper output encoding via htmlspecialchars() allowed unsanitized user input to be displayed, creating the potential for script injection attacks.
The network-accessible attack vector combined with the requirement for high privileges and user interaction places this in the lower severity range. However, stored XSS vulnerabilities can persist in the system and affect multiple users who view the compromised content.
Root Cause
The root cause of this vulnerability is missing input sanitization in the Guestbook Plugin and related components. Specifically, user-controlled form values were being directly inserted into HTML output without proper encoding through PHP's htmlspecialchars() function. This allowed special characters like <, >, and " to be interpreted as HTML/JavaScript rather than displayed as literal text.
The vulnerability affected multiple input fields including f_text, f_slug, f_limit, and f_email parameters, as well as the logging file configuration in the antispam plugin's admin interface.
Attack Vector
The attack is network-based and requires the attacker to have high-level privileges within the MaxSite CMS administration panel. An attacker with administrative access could inject malicious JavaScript code through the vulnerable form fields. When other authenticated users (such as site administrators) view pages containing the injected content, the malicious script would execute in their browser context.
The following patch demonstrates how the vulnerability was remediated by adding htmlspecialchars() encoding:
// Before (vulnerable):
$form .= '<p><strong>' . t('Файл для логов:') . '</strong> ' . getinfo('uploads_dir') . ' <input name="f_logging_file" type="text" value="' . $options['logging_file'] . '">';
// After (fixed):
$form .= '<p><strong>' . t('Файл для логов:') . '</strong> ' . getinfo('uploads_dir') . ' <input name="f_logging_file" type="text" value="' . htmlspecialchars($options['logging_file']) . '">';
Source: GitHub Commit Details
Detection Methods for CVE-2026-7015
Indicators of Compromise
- Unusual JavaScript code or HTML tags appearing in Guestbook entries or plugin configuration fields
- Unexpected <script> tags or event handler attributes (e.g., onerror, onclick) in database content
- Reports from users of unexpected browser behavior when viewing guestbook pages
Detection Strategies
- Review MaxSite CMS version and confirm whether running version 109.3 or earlier
- Scan Guestbook database content for suspicious HTML/JavaScript patterns
- Monitor web application firewall (WAF) logs for XSS payload patterns in POST requests to the Guestbook Plugin
- Implement Content Security Policy (CSP) headers to detect and report inline script execution attempts
Monitoring Recommendations
- Enable verbose logging for administrative actions in MaxSite CMS
- Configure browser-based XSS auditing and report-only CSP policies to identify exploitation attempts
- Monitor for unexpected changes to plugin configuration values in the admin interface
How to Mitigate CVE-2026-7015
Immediate Actions Required
- Upgrade MaxSite CMS to version 109.4 or later immediately
- Review existing Guestbook entries and plugin configurations for any injected malicious content
- Temporarily disable the Guestbook Plugin if immediate upgrade is not possible
- Implement Web Application Firewall (WAF) rules to filter XSS payloads
Patch Information
MaxSite CMS has released version 109.4 which addresses this vulnerability. The fix is contained in commit 8a3946bd0a54bfb72a4d57179fcd253f2c550cd7, which adds proper htmlspecialchars() encoding to user-supplied input before rendering in HTML contexts.
The patch can be applied by upgrading to the latest version from the MaxSite CMS GitHub repository. The specific security commit is available at the GitHub Commit Details page.
Workarounds
- If upgrading is not immediately possible, disable or remove the Guestbook Plugin temporarily
- Implement strict Content Security Policy (CSP) headers that prevent inline script execution
- Restrict administrative access to trusted users only and enforce multi-factor authentication
- Deploy a Web Application Firewall with XSS filtering rules enabled
# Example Apache configuration for CSP headers
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
