Skip to main content

Iqbolshoh php-business-website CVE-2025-12224

LOW
Cross-site Scripting (XSS) (CWE-79)
2025-10-27 cna@vuldb.com
2.0
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.0 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 02:19 vuln.today

DescriptionCVE.org

A flaw has been found in Iqbolshoh php-business-website up to 10677743a8dfc281f85291a27cf63a0bce043c24. This vulnerability affects unknown code of the file admin/contact.php. This manipulation of the argument twitter causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stored cross-site scripting (XSS) in Iqbolshoh php-business-website admin/contact.php allows authenticated attackers with user interaction to inject malicious scripts via the twitter parameter, affecting data integrity for other users. The vulnerability affects a rolling-release project up to commit 10677743a8dfc281f85291a27cf63a0bce043c24, has published exploit code available, but carries low real-world risk due to authentication requirement (PR:L), user interaction dependency (UI:P), and limited impact scope (VI:L only). EPSS exploitation probability is 0.03% (7th percentile), indicating minimal practical exploitation likelihood despite public POC availability.

Technical ContextAI

This is a stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in a PHP-based business website management application. The admin/contact.php file fails to properly sanitize or encode user-controlled input from the twitter parameter before storing it in a backend system or displaying it to other users. The vulnerability exists in a PHP application using a rolling release model (continuous updates without fixed version tags), making traditional version-tracking difficult. The attack requires an authenticated user (PR:L) with admin or similar privileged access to the admin panel, plus user interaction (UI:P) such as viewing a crafted page, suggesting the XSS payload is stored and triggered when another user accesses the affected data.

Affected ProductsAI

Iqbolshoh php-business-website up to commit 10677743a8dfc281f85291a27cf63a0bce043c24. Due to the rolling release model, no specific version numbers are available; affected systems are identified by Git commit hash rather than version tag. The vulnerability impacts the admin/contact.php module. More information is available at https://vuldb.com/?id.329894.

RemediationAI

No vendor-released patch is available due to unresponsive vendor. Users should: (1) manually review the php-business-website repository (https://github.com/mhszed/Report) for any subsequent commits after 10677743a8dfc281f85291a27cf63a0bce043c24 that may address XSS sanitization in admin/contact.php; (2) implement input validation and output encoding on the twitter parameter using a PHP escaping library (e.g., htmlspecialchars() with ENT_QUOTES flag) to neutralize any stored payloads before display; (3) restrict administrative access to the admin panel via IP whitelisting or network segmentation to limit the attack surface to trusted administrator networks; (4) implement a Web Application Firewall (WAF) rule to detect and block common XSS payloads in form submissions to admin/contact.php; (5) sanitize the database by removing any existing malicious scripts from stored twitter parameter data. A temporary workaround is to disable or hide the twitter parameter field in the admin contact form until sanitization is applied. Note: these mitigations require manual code changes since the vendor is unresponsive.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2025-12224 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy