CVE-2018-11332

MEDIUM

ClipperCMS 1.3.3 - Stored Cross-Site Scripting via Site Name Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-11332. PoCs published by Nathu Nandwani.

AI-analyzed exploit summary This exploit demonstrates a persistent XSS vulnerability in ClipperCMS 1.3.3 via the 'Site name' field, allowing authenticated attackers to inject arbitrary JavaScript. The payload executes when saved and affects unauthenticated users visiting the login page.

Description

Stored cross-site scripting (XSS) vulnerability in the "Site Name" field found in the "site" tab under configurations in ClipperCMS 1.3.3 allows remote attackers to inject arbitrary web script or HTML via a crafted site name to the manager/processors/save_settings.processor.php file.

Exploits (1)

exploitdb WORKING POC

by Nathu Nandwani · textwebappsphp

https://www.exploit-db.com/exploits/44775

View Code ZIP pw:eip

This exploit demonstrates a persistent XSS vulnerability in ClipperCMS 1.3.3 via the 'Site name' field, allowing authenticated attackers to inject arbitrary JavaScript. The payload executes when saved and affects unauthenticated users visiting the login page.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: ClipperCMS 1.3.3

Auth required

Prerequisites: Administrator access to ClipperCMS

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://github.com/ClipperCMS/ClipperCMS/issues/483

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44775/

Scores

CVSS v3 4.8

EPSS 0.0188

EPSS Percentile 76.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

clippercms/clippercms 1.3.3

Published May 24, 2018

Tracked Since Feb 18, 2026