CVE-2026-7013
Cross-Site Scripting in MaxSite CMS mail_send Plugin
Publication date: 2026-04-26
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maxsite | maxsite_cms | to 109.4 (exc) |
| maxsite | mail_send_plugin | to 109.4 (exc) |
| maxsite | maxsite_cms | 109.4 |
| maxsite | mail_send_plugin | 109.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects MaxSite CMS up to version 109.3, specifically in the mail_send Plugin component. It involves improper handling of certain input arguments (f_subject, f_files, f_from) that can be manipulated to perform a cross-site scripting (XSS) attack. This means an attacker can inject malicious scripts remotely through these inputs.
The issue arises because the inputs were not properly sanitized using functions like htmlspecialchars(), allowing unsafe data to be rendered in HTML contexts. The vulnerability is classified as a "Self-XSS" by the vendor, but it still violates secure coding standards.
Upgrading to MaxSite CMS version 109.4 resolves this issue by applying proper input sanitization to prevent incorrect data display and mitigate XSS attacks.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute malicious scripts in the context of the affected website by exploiting the mail_send Plugin inputs. Such cross-site scripting attacks can lead to unauthorized actions, session hijacking, or the injection of malicious content that affects users interacting with the site.
Since the attack can be initiated remotely, it poses a risk to the security and integrity of the website and its users. However, the CVSS scores indicate a relatively low severity (BaseScore 1.9 to 3.3), suggesting limited impact under certain conditions, such as requiring high privileges or user interaction.
Upgrading to version 109.4 is recommended to mitigate these risks.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves cross-site scripting (XSS) through manipulation of the arguments f_subject, f_files, or f_from in the mail_send plugin of MaxSite CMS up to version 109.3.
To detect this vulnerability on your system, you can monitor HTTP requests targeting the mail_send plugin for suspicious input in these parameters that may contain HTML or JavaScript code.
For example, you can use network monitoring tools or web server logs to search for requests containing suspicious payloads in these parameters.
A simple command to search web server logs (e.g., Apache or Nginx) for potential XSS attempts might be:
- grep -iE 'f_subject=|f_files=|f_from=' /var/log/apache2/access.log | grep -i '<script\|javascript:'
Alternatively, using network packet capture tools like tcpdump or Wireshark to filter HTTP traffic for these parameters may help identify exploit attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade MaxSite CMS and the mail_send plugin to version 109.4 or later, where this vulnerability has been fixed.
The fix involves applying the htmlspecialchars() function to user inputs in the mail_send plugin to prevent cross-site scripting attacks.
If immediate upgrade is not possible, consider implementing input validation or filtering on the affected parameters (f_subject, f_files, f_from) to block or sanitize potentially malicious input.
Additionally, monitor your system for suspicious activity related to these parameters and restrict access to the mail_send plugin to trusted users where feasible.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in MaxSite CMS involves a cross-site scripting (XSS) issue due to improper input sanitization in the mail_send plugin. While the vendor classifies it as a "Self-XSS" and has patched it by applying htmlspecialchars() to user inputs, the description does not explicitly mention any direct impact on compliance with common standards and regulations such as GDPR or HIPAA.
However, XSS vulnerabilities can potentially lead to unauthorized access or manipulation of user data, which may indirectly affect compliance with data protection regulations that require secure handling of personal information. Since the vulnerability allows remote exploitation and involves user input manipulation, it could pose risks related to data integrity and confidentiality if exploited.
Upgrading to version 109.4 resolves the issue by enforcing secure coding standards, which aligns with best practices for maintaining compliance with security requirements in various regulations.