CVE-2025-15451
Unknown Unknown - Not Provided
Stored XSS in xnx3 wangmarket System Variables Page

Publication date: 2026-01-05

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in xnx3 wangmarket up to 4.9. Affected by this issue is some unknown functionality of the file /admin/system/variableSave.do of the component System Variables Page. Performing a manipulation of the argument Description results in cross site scripting. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15451
EUVD
EUVD-2026-0916
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xnx3 wangmarket to 4.9|start_including=4.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-15451 is a stored Cross-Site Scripting (XSS) vulnerability in the xnx3 wangmarket application up to version 4.9. It occurs in the System Variables Page, specifically in the /admin/system/variableSave.do file, where the Description argument is not properly sanitized. Attackers can inject malicious JavaScript code into system variables, which is then stored persistently. When administrators or users view the system variable list, the malicious script executes in their browsers, potentially leading to session hijacking or cookie theft. Exploitation requires authentication and user interaction, and a public proof-of-concept exploit is available. [1, 3]

Impact Analysis

This vulnerability can impact you by allowing attackers to execute malicious scripts in the browsers of authenticated users, such as administrators. This can lead to theft of cookies, session hijacking, and other malicious activities that compromise data integrity and user sessions. Since the malicious code is stored persistently, it can repeatedly affect users who access the vulnerable interface. [1, 3]

Detection Guidance

Detection involves checking for attempts to exploit the /admin/system/variableSave.do interface by monitoring HTTP requests that manipulate the Description parameter with suspicious scripts or XSS payloads. Since the vulnerability requires authentication and user interaction, reviewing web server logs for POST requests to /admin/system/variableSave.do containing script tags or unusual input in the Description field can help. There is no specific command provided, but using tools like grep or log analysis to search for 'Description=' with script tags in access logs may be effective. [1, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /admin/system/variableSave.do interface to trusted users only, implementing strict input validation and sanitization on the Description parameter if possible, and monitoring for suspicious activity. Since no vendor patch or fix is available and the vendor did not respond, it is recommended to consider replacing the affected product with a more secure alternative. Additionally, educating users to avoid interacting with suspicious inputs and applying web application firewalls (WAF) rules to block XSS payloads targeting this endpoint can help reduce risk. [3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15451. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart