Wolfcms 0.75 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of “setting[admin_email]” parameter, passed to server side logic (path: “wolfcms/admin/setting”) via http POST method.
Exploiting this vulnerability an authenticated admin could insert arbitrary code in “Site email” field which will be executed when another admin clicks on “Administrator” tab.
To view my Original Advisory:
Wolfcms 0.75 new Pesistent XSS
Other related publications: