Skip to main content

code-projects Voting System CVE-2025-11512

LOW
Cross-site Scripting (XSS) (CWE-79)
2025-10-09 cna@vuldb.com
PHP XSS Voting System
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:33 vuln.today

DescriptionCVE.org

A vulnerability was found in code-projects Voting System 1.0. Affected by this issue is some unknown functionality of the file /admin/voters_add.php. The manipulation of the argument Firstname/Lastname/Platform results in cross site scripting. The attack can be executed remotely. The exploit has been made public and could be used.

AnalysisAI

Stored cross-site scripting (XSS) in code-projects Voting System 1.0 allows remote attackers to inject malicious scripts via the Firstname, Lastname, or Platform parameters in /admin/voters_add.php, requiring user interaction to trigger payload execution. The vulnerability has a low CVSS score (2.1) due to UI requirement, but publicly available exploit code exists and the attack requires no authentication or special configuration.

Technical ContextAI

This is a reflected or stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in a PHP-based voting application. The vulnerable endpoint /admin/voters_add.php fails to properly sanitize or encode user-supplied input in the Firstname, Lastname, and Platform parameters before rendering them in HTML output. Attackers can inject JavaScript payloads that execute in victims' browsers when the page is viewed, potentially stealing session cookies, admin credentials, or performing unauthorized actions within the application context.

RemediationAI

Upgrade to a patched version of code-projects Voting System if available from the vendor; consult code-projects.org or the GitHub repository for the latest release. If no patched version is available, implement input validation and output encoding by using PHP htmlspecialchars() or htmlentities() functions on all user inputs (Firstname, Lastname, Platform) before rendering them in HTML context, and implement Content Security Policy (CSP) headers to block inline script execution. Additionally, restrict administrative access to /admin/voters_add.php to trusted IP ranges and require strong authentication to minimize the attack surface, though these do not address the root cause.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2025-11512 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy