diff --git a/README.md b/README.md
index f27e170..4b02f29 100644
--- a/README.md
+++ b/README.md
@@ -99,6 +99,7 @@
 - [CVE-2019-19844-Django重置密码漏洞(受影响版本:Django master branch,Django 3.0,Django 2.2,Django 1.11)](https://github.com/ryu22e/django_cve_2019_19844_poc/)
 - [CVE-2019-17556-unsafe-deserialization-in-apache-olingo(Apache Olingo反序列化漏洞，影响: 4.0.0版本至4.6.0版本)](https://medium.com/bugbountywriteup/cve-2019-17556-unsafe-deserialization-in-apache-olingo-8ebb41b66817)
 - [ZZCMS201910 SQL Injections](./ZZCMS201910%20SQL%20Injections.md)
+- [WDJACMS1.5.2模板注入漏洞](./WDJACMS1.5.2模板注入漏洞.md)
 
 ## 提权辅助相关
 
diff --git a/WDJACMS1.5.2模板注入漏洞.md b/WDJACMS1.5.2模板注入漏洞.md
new file mode 100644
index 0000000..767347e
--- /dev/null
+++ b/WDJACMS1.5.2模板注入漏洞.md
@@ -0,0 +1,11 @@
+## WDJACMS1.5.2模板注入漏洞  
+
+### 根据官网啊的漏洞公告和GitHub提交记录对比  
+
+[WDJA1.5.2漏洞公告](https://www.wdja.cn/news/?type=detail&id=3):  
+在会员中心的地址管理中添加地址未进行过滤,会造成任意文件写入漏洞.  
+
+[github提交记录](https://github.com/shadoweb/wdja/commit/eda57d4b803da920d0569eafd9abbddecb73ae65):  
+可以看到注意改动文件为`php/passport/address/common/incfiles/manage_config.inc.php` 和 `php/passport/address/common/incfiles/module_config.inc.php` 文件都加了 `ii_htmlencode`函数进行过滤。  
+
+### 审计流程大致可以看这里(来自合天智汇公众号作者-Xiaoleung)：[WDJA1.5.2网站内容管理系统模板注入漏洞](%E3%80%90%E4%BB%A3%E7%A0%81%E5%AE%A1%E8%AE%A1%E3%80%91WDJA1.5.2%E7%BD%91%E7%AB%99%E5%86%85%E5%AE%B9%E7%AE%A1%E7%90%86%E7%B3%BB%E7%BB%9F%E6%A8%A1%E6%9D%BF%E6%B3%A8%E5%85%A5%E6%BC%8F%E6%B4%9E.pdf)  
\ No newline at end of file
diff --git a/books/【代码审计】WDJA1.5.2网站内容管理系统模板注入漏洞.pdf b/books/【代码审计】WDJA1.5.2网站内容管理系统模板注入漏洞.pdf
new file mode 100644
index 0000000..c85d46c
Binary files /dev/null and b/books/【代码审计】WDJA1.5.2网站内容管理系统模板注入漏洞.pdf differ