CVE-2009-1228

Arcadwy Arcade Script CMS - Stored Cross-Site Scripting via User Registration Username Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2009-1228. PoCs published by Anarchy Angel.

AI-analyzed exploit summary This is a writeup describing a stored XSS vulnerability in Arcadwy Arcade Script CMS. The exploit involves injecting an XSS payload into the username field during registration, which executes whenever the username is displayed on the site.

Description

Cross-site scripting (XSS) vulnerability in register.php in Arcadwy Arcade Script CMS allows remote attackers to inject arbitrary web script or HTML via the username field (user_name parameter).

Exploits (1)

exploitdb WRITEUP VERIFIED

by Anarchy Angel · textwebappsphp

https://www.exploit-db.com/exploits/8296

View Code ZIP pw:eip

This is a writeup describing a stored XSS vulnerability in Arcadwy Arcade Script CMS. The exploit involves injecting an XSS payload into the username field during registration, which executes whenever the username is displayed on the site.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Arcadwy Arcade Script CMS

No auth needed

Prerequisites: Access to the registration page of the target site

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/49472

Vendor Advisory third-party-advisory x_refsource_secunia

http://secunia.com/advisories/34506

Exploit, Third Party Advisory exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/8296

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/34275

Scores

EPSS 0.0152

EPSS Percentile 71.4%

Details

CWE

CWE-79

Status published

Products (1)

arcadwy/arcadwy_arcade_script_cms

Published Apr 02, 2009

Tracked Since Feb 18, 2026