CVE-2011-5267

WikiWig 5.01 - Cross-Site Scripting via SpellChecker Module Parameters

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2011-5267. PoCs published by John Leitch, AutoSec Tools.

AI-analyzed exploit summary The provided text describes an HTML injection vulnerability in Xinha 0.96.1, where user-supplied input is not sufficiently sanitized, allowing attacker-supplied HTML or JavaScript code to execute in the context of the affected site. The example URL demonstrates a reflected XSS payload via the 'to_r_list' parameter.

Description

Multiple cross-site scripting (XSS) vulnerabilities in spell-check-savedicts.php in the SpellChecker module in Xinha, as used in WikiWig 5.01 and possibly other products, allow remote attackers to inject arbitrary web script or HTML via the (1) to_p_dict or (2) to_r_list parameter. NOTE: this issue might be related to the htmlarea plugin and CVE-2013-5670.

Exploits (2)

exploitdb WRITEUP VERIFIED

by John Leitch · textwebappsphp

https://www.exploit-db.com/exploits/35436

View Code ZIP pw:eip

The provided text describes an HTML injection vulnerability in Xinha 0.96.1, where user-supplied input is not sufficiently sanitized, allowing attacker-supplied HTML or JavaScript code to execute in the context of the affected site. The example URL demonstrates a reflected XSS payload via the 'to_r_list' parameter.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: Xinha 0.96.1

No auth needed

Prerequisites: Access to the vulnerable endpoint

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC

by AutoSec Tools · textwebappsphp

https://www.exploit-db.com/exploits/16988

View Code ZIP pw:eip

This exploit demonstrates a persistent/reflected XSS vulnerability in WikiWig 5.01. The PoC includes URLs and payloads to trigger arbitrary JavaScript execution, either via reflected parameters or persistent storage through user-editable pages.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: WikiWig 5.01

No auth needed

Prerequisites: Access to the target WikiWig instance · For persistent XSS, ability to create/edit a user account/page

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Patch mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2013/09/01/3

Exploit x_refsource_misc

http://www.autosectools.com/Advisories/WikiWig.5.01_Persistent-Reflected.Cross-site.Scripting_139.html

Patch mailing-list x_refsource_mlist

http://www.openwall.com/lists/oss-security/2013/09/01/1

Exploit exploit x_refsource_exploit-db

http://www.exploit-db.com/exploits/16988

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://www.osvdb.org/71070

Scores

EPSS 0.0187

EPSS Percentile 76.6%

Details

CWE

CWE-79

Status published

Products (1)

wikiwig_project/wikiwig 5.0.1

Published Nov 05, 2013

Tracked Since Feb 18, 2026