CVE-2018-9236

MEDIUM

iScripts EasyCreate 3.2.1 - Stored Cross-Site Scripting via Site Title Field

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-9236. PoCs published by ManhNho.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in iScripts EasyCreate 3.2.1, where malicious scripts can be injected into the 'Site Description' and 'Site Title' fields. The PoC shows how an attacker can execute arbitrary JavaScript in the context of a user's session.

Description

iScripts EasyCreate 3.2.1 has Stored Cross-Site Scripting in the "Site title" field.

Exploits (1)

exploitdb WORKING POC

by ManhNho · textwebappsphp

https://www.exploit-db.com/exploits/44436

View Code ZIP pw:eip

This exploit demonstrates a stored XSS vulnerability in iScripts EasyCreate 3.2.1, where malicious scripts can be injected into the 'Site Description' and 'Site Title' fields. The PoC shows how an attacker can execute arbitrary JavaScript in the context of a user's session.

Classification

Working Poc 90%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: iScripts EasyCreate 3.2.1

Auth required

Prerequisites: Access to user dashboard · Ability to edit site details

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory x_refsource_misc

https://pastebin.com/Amw08sAj

Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/44436/

Scores

CVSS v3 5.4

EPSS 0.0188

EPSS Percentile 76.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (1)

iscripts/easycreate 3.2.1

Published Apr 04, 2018

Tracked Since Feb 18, 2026