CVE-2010-1916

CVE-2010-1916 is a high-severity vulnerability in Xinha Wysiwyg Editor with a CVSS 2.0 base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-264.

Key facts

Description

The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. NOTE: this can be leveraged to upload and possibly execute arbitrary files via config.inc.php in the ImageManager plugin.

Frequently asked questions

What is CVE-2010-1916?
The dynamic configuration feature in Xinha WYSIWYG editor 0.96 Beta 2 and earlier, as used in Serendipity 1.5.2 and earlier, allows remote attackers to bypass intended access restrictions and modify the configuration of arbitrary plugins via (1) crafted backend_config_secret_key_location and backend_config_hash parameters that are used in a SHA1 hash of a shared secret that can be known or externally influenced, which are not properly handled by the "Deprecated config passing" feature; or (2) crafted backend_data and backend_data[key_location] variables, which are not properly handled by the xinha_read_passed_data function. NOTE: this can be leveraged to upload and possibly execute arbitrary files via config.inc.php in the ImageManager plugin.
How severe is CVE-2010-1916?
CVE-2010-1916 has a CVSS 2.0 base score of 7.5, rated high severity.
Is CVE-2010-1916 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 3% (87th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2010-1916?
CVE-2010-1916 primarily affects Xinha Wysiwyg Editor. In total, 41 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2010-1916?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
When was CVE-2010-1916 published?
CVE-2010-1916 was published on 2010-05-12 and last updated on 2026-06-16.

References

Affected products (41)

Other CWE-264 (Permissions, Privileges, and Access Controls) vulnerabilities

Browse all CWE-264 (Permissions, Privileges, and Access Controls) vulnerabilities →