Aggregates CVE and security vulnerability intelligence across all Wuzhicms-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk sql injection, vendor risk csrf, and vendor risk path handling and related problems; some flaws may lead to vendor impact data exposure and vendor impact file overwrite.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2025-3563 | A vulnerability was found in WuzhiCMS 4.1. It has been rated as critical. Affected by this issue is the function Set of the file /index.php?m=attachment&f=index&_su=wuzhicms&v=set&submit=1 of the component Setting Handler. The manipulation of the argument Setting leads to code injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 5.1 | 0.18% | 2025-04-14 | 2025-04-29 |
| CVE-2025-25916 | wuzhicms v4.1.0 has a Cross Site Scripting (XSS) vulnerability in del function in \coreframe\app\member\admin\group.php. | [email protected] | 5.4 | 0.05% | 2025-02-28 | 2025-04-29 |
| CVE-2025-0480 | A vulnerability classified as problematic has been found in wuzhicms 4.1.0. This affects the function test of the file coreframe/app/search/admin/config.php. The manipulation of the argument sphinxhost/sphinxport leads to server-side request forgery. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | [email protected] | 5.3 | 0.17% | 2025-01-15 | 2025-05-13 |
| CVE-2024-10505 | A vulnerability was found in wuzhicms 4.1.0. It has been classified as critical. Affected is the function add/edit of the file www/coreframe/app/content/admin/block.php. The manipulation leads to code injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Initially two separate issues were created by the researcher for the different function calls. The vendor was contacted early about this disclosure but did not respond in any way. | [email protected] | 5.3 | 0.09% | 2024-10-30 | 2024-11-06 |
| CVE-2024-32206 | A stored cross-site scripting (XSS) vulnerability in the component \affiche\admin\index.php of WUZHICMS v4.1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the $formdata parameter. | [email protected] | 4.6 | 0.22% | 2024-04-19 | 2025-05-05 |
| CVE-2024-31008 | An issue was discovered in WUZHICMS version 4.1.0, allows an attacker to execute arbitrary code and obtain sensitive information via the index.php file. | [email protected] | 6.5 | 0.18% | 2024-04-03 | 2025-05-13 |
| CVE-2023-52064 | Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the $keywords parameter at /core/admin/copyfrom.php. | [email protected] | 9.8 | 0.14% | 2024-01-10 | 2025-06-03 |
| CVE-2023-46482 | SQL injection vulnerability in wuzhicms v.4.1.0 allows a remote attacker to execute arbitrary code via the Database Backup Functionality in the coreframe/app/database/admin/index.php component. | [email protected] | 9.8 | 1.96% | 2023-11-01 | 2024-11-21 |
| CVE-2020-36037 | An issue was disocvered in wuzhicms version 4.1.0, allows remote attackers to execte arbitrary code via the setting parameter to the ueditor in index.php. | [email protected] | 8.8 | 0.39% | 2023-08-11 | 2024-11-21 |
| CVE-2020-21325 | An issue in WUZHI CMS v.4.1.0 allows a remote attacker to execute arbitrary code via the set_chache method of the function\common.func.php file. | [email protected] | 8.8 | 1.45% | 2023-06-20 | 2024-12-09 |
| CVE-2020-20413 | SQL injection vulnerability found in WUZHICMS v.4.1.0 allows a remote attacker to execute arbitrary code via the checktitle() function in admin/content.php. | [email protected] | 9.8 | 0.78% | 2023-06-20 | 2024-12-10 |
| CVE-2023-31860 | Wuzhi CMS v3.1.2 has a storage type XSS vulnerability in the backend of the Five Finger CMS b2b system. | [email protected] | 5.4 | 0.20% | 2023-05-23 | 2025-05-05 |
| CVE-2023-30123 | wuzhicms v4.1.0 is vulnerable to Cross Site Scripting (XSS) in the Member Center, Account Settings. | [email protected] | 5.4 | 0.20% | 2023-04-28 | 2025-01-30 |
| CVE-2022-36168 | A directory traversal vulnerability was discovered in Wuzhicms 4.1.0. via /coreframe/app/attachment/admin/index.php: | [email protected] | 2.7 | 0.45% | 2022-08-26 | 2024-11-21 |
| CVE-2020-19897 | A reflected Cross Site Scripting (XSS) in wuzhicms v4.1.0 allows remote attackers to execute arbitrary web script or HTML via the imgurl parameter. | [email protected] | 6.1 | 0.27% | 2022-06-28 | 2025-05-05 |
| CVE-2021-41654 | SQL injection vulnerabilities exist in Wuzhicms v4.1.0 which allows attackers to execute arbitrary SQL commands via the $keyValue parameter in /coreframe/app/pay/admin/index.php | [email protected] | 9.8 | 0.27% | 2022-06-16 | 2024-11-21 |
| CVE-2022-27431 | Wuzhicms v4.1.0 was discovered to contain a SQL injection vulnerability via the groupid parameter at /coreframe/app/member/admin/group.php. | [email protected] | 9.8 | 0.23% | 2022-05-04 | 2025-05-05 |
| CVE-2020-19770 | A cross-site scripting (XSS) vulnerability in the system bulletin component of WUZHI CMS v4.1.0 allows attackers to steal the admin's cookie. | [email protected] | 5.4 | 0.18% | 2021-12-21 | 2025-05-05 |
| CVE-2020-28145 | Arbitrary file deletion vulnerability was discovered in wuzhicms v 4.0.1 via coreframe\app\attachment\admin\index.php, which allows attackers to access sensitive information. | [email protected] | 7.5 | 0.28% | 2021-10-12 | 2024-11-21 |
| CVE-2020-20124 | Wuzhi CMS v4.1.0 contains a remote code execution (RCE) vulnerability in \attachment\admin\index.php. | [email protected] | 8.8 | 3.12% | 2021-09-28 | 2025-05-05 |