CVE-2026-7012
Cross-Site Scripting in MaxSite CMS Redirect Plugin
Publication date: 2026-04-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maxsite | maxsite_cms | to 109.4 (exc) |
| maxsite | maxsite_cms | 109.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided context does not include any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in MaxSite CMS up to version 109.3, specifically in the Redirect Plugin component. It involves the manipulation of the argument f_all/f_all404, which leads to a cross-site scripting (XSS) vulnerability. This means an attacker can inject malicious scripts remotely by exploiting this input handling flaw.
The root cause is the lack of proper filtering of user input using the htmlspecialchars() function, which was missing and allowed incorrect data display leading to XSS. The vendor classifies this as a "Self-XSS" issue but acknowledges it violates secure coding standards.
Upgrading to version 109.4 mitigates this vulnerability by applying proper input sanitization to prevent such attacks.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute malicious scripts in the context of the affected website by exploiting the Redirect Plugin's input handling. This can lead to unauthorized actions such as session hijacking, defacement, or redirecting users to malicious sites.
Since the attack can be launched remotely, it poses a risk to any user interacting with the vulnerable CMS instance, potentially compromising user data or site integrity.
However, the CVSS scores indicate a low severity (BaseScore 1.9 to 3.3 depending on version), reflecting limited impact or complexity in exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves cross-site scripting (XSS) via manipulation of the argument f_all/f_all404 in the Redirect Plugin of MaxSite CMS up to version 109.3.
Detection can involve monitoring HTTP requests to the affected MaxSite CMS instance for suspicious or unexpected input in the f_all or f_all404 parameters that could contain script tags or other XSS payloads.
You can use web server logs or network traffic capture tools to look for such patterns.
- Use grep or similar tools on web server logs to find requests containing suspicious script tags in f_all or f_all404 parameters, for example: grep -i 'f_all.*<script' access.log
- Use curl or wget to test the endpoint manually by sending crafted requests with XSS payloads in the f_all/f_all404 parameters and observe if the response reflects the input unsanitized.
- Use web vulnerability scanners that support XSS detection targeting the affected CMS URL and parameters.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade MaxSite CMS to version 109.4 or later, where the vulnerability has been fixed.
The fix involves applying the htmlspecialchars() function to sanitize user input in the affected plugin, preventing XSS attacks.
If immediate upgrade is not possible, consider applying input filtering or sanitization on the affected parameters (f_all/f_all404) at the web server or application level to block or neutralize malicious input.
Additionally, monitor for exploit attempts and restrict access to the vulnerable plugin if feasible.