CVE-2014-4710

ZeroCMS 1.0 - Stored Cross-Site Scripting via Full Name Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-4710. PoCs published by Mayuresh Dani.

AI-analyzed exploit summary This is a technical writeup describing a persistent XSS vulnerability in ZeroCMS 1.0, where unsanitized input in the 'Full Name', 'Email Address', 'Password', or 'Confirm Password' fields is stored in the database and executed when visiting logged-in pages. The writeup includes steps to reproduce the vulnerability and references external analysis.

Description

Cross-site scripting (XSS) vulnerability in zero_user_account.php in ZeroCMS 1.0 allows remote attackers to inject arbitrary web script or HTML via the Full Name field.

Exploits (1)

exploitdb WRITEUP
by Mayuresh Dani · textwebappsphp
https://www.exploit-db.com/exploits/34170

This is a technical writeup describing a persistent XSS vulnerability in ZeroCMS 1.0, where unsanitized input in the 'Full Name', 'Email Address', 'Password', or 'Confirm Password' fields is stored in the database and executed when visiting logged-in pages. The writeup includes steps to reproduce the vulnerability and references external analysis.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: ZeroCMS 1.0
No auth needed
Prerequisites: Access to the 'Create Account' page
MITRE ATT&CK
mistral-large-3 · analyzed Feb 18, 2026 Full analysis →

Scores

EPSS 0.0322
EPSS Percentile 86.7%

Details

CWE
CWE-79
Status published
Products (1)
aas9/zerocms 1.0
Published Jul 29, 2014
Tracked Since Feb 18, 2026