CVE-2018-7736

MEDIUM

Z-BlogPHP 1.5.1.1740 - Cross-Site Scripting via cmd.php Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-7736. PoCs published by zzw.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in Z-Blog 1.5.1.1740 via the ZC_BLOG_SUBNAME and ZC_UPLOAD_FILETYPE parameters. The PoC includes crafted POST data that injects malicious JavaScript, which executes when rendered in the application.

Description

In Z-BlogPHP 1.5.1.1740, cmd.php has XSS via the ZC_BLOG_SUBNAME parameter or ZC_UPLOAD_FILETYPE parameter. NOTE: the software maintainer disputes that this is a vulnerability

Exploits (1)

exploitdb WORKING POC
by zzw · textwebappsphp
https://www.exploit-db.com/exploits/44406

This exploit demonstrates a stored XSS vulnerability in Z-Blog 1.5.1.1740 via the ZC_BLOG_SUBNAME and ZC_UPLOAD_FILETYPE parameters. The PoC includes crafted POST data that injects malicious JavaScript, which executes when rendered in the application.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: Z-Blog 1.5.1.1740
Auth required
Prerequisites: Valid admin session token · Access to the admin panel
MITRE ATT&CK
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (4)

Core 4
Core References
Third Party Advisory x_refsource_confirm
https://github.com/zblogcn/zblogphp/issues/205
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44406/
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://packetstormsecurity.com/files/147066/Z-Blog-1.5.1.1740-Cross-Site-Scripting.html
Broken Link, Third Party Advisory x_refsource_misc
https://github.com/ponyma233/cms/blob/master/Z-Blog_1.5.1.1740_bugs.md

Scores

CVSS v3 6.1
EPSS 0.0339
EPSS Percentile 87.3%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
zblogcn/z-blogphp 1.5.1.1740
Published Mar 06, 2018
Tracked Since Feb 18, 2026