CVE-2018-10118

MEDIUM

Monstra CMS 3.0.4 - Stored Cross-Site Scripting via Name Field on Create New Page

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2018-10118. PoCs published by DEEPIN2, GeunSam2.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Monstra CMS < 3.0.4 by injecting malicious script into the page title field via an admin session. It automates the process of creating a page with the payload and verifies success by checking for the presence of the exploit string in the response.

Description

Monstra CMS 3.0.4 has Stored XSS via the Name field on the Create New Page screen under the admin/index.php?id=pages URI, related to plugins/box/pages/pages.admin.php.

Exploits (2)

exploitdb WORKING POC
by DEEPIN2 · pythonwebappsphp
https://www.exploit-db.com/exploits/44855

This exploit demonstrates a stored XSS vulnerability in Monstra CMS < 3.0.4 by injecting malicious script into the page title field via an admin session. It automates the process of creating a page with the payload and verifies success by checking for the presence of the exploit string in the response.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Monstra CMS < 3.0.4
Auth required
Prerequisites: Admin session cookie (PHPSESSID) · Valid CSRF token
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by GeunSam2 · poc
https://github.com/GeunSam2/CVE-2018-10118

This PoC exploits CVE-2018-10118, a stored XSS vulnerability in the target software. It allows an attacker to inject malicious scripts into a page via the 'page_title' parameter, which is then executed when the page is accessed.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Unknown (likely a CMS or web application with admin panel)
Auth required
Prerequisites: Admin session cookie (PHPSESSID) · Target URL · Page name · Malicious script
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/monstra-cms/monstra/issues/436
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44855/

Scores

CVSS v3 4.8
EPSS 0.0290
EPSS Percentile 85.2%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
monstra/monstra 3.0.4
Published Apr 16, 2018
Tracked Since Feb 18, 2026