Iqbolshoh php-business-website CVE-2025-12224
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in Iqbolshoh php-business-website up to 10677743a8dfc281f85291a27cf63a0bce043c24. This vulnerability affects unknown code of the file admin/contact.php. This manipulation of the argument twitter causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Stored cross-site scripting (XSS) in Iqbolshoh php-business-website admin/contact.php allows authenticated attackers with user interaction to inject malicious scripts via the twitter parameter, affecting data integrity for other users. The vulnerability affects a rolling-release project up to commit 10677743a8dfc281f85291a27cf63a0bce043c24, has published exploit code available, but carries low real-world risk due to authentication requirement (PR:L), user interaction dependency (UI:P), and limited impact scope (VI:L only). EPSS exploitation probability is 0.03% (7th percentile), indicating minimal practical exploitation likelihood despite public POC availability.
Technical ContextAI
This is a stored XSS vulnerability (CWE-79: Improper Neutralization of Input During Web Page Generation) in a PHP-based business website management application. The admin/contact.php file fails to properly sanitize or encode user-controlled input from the twitter parameter before storing it in a backend system or displaying it to other users. The vulnerability exists in a PHP application using a rolling release model (continuous updates without fixed version tags), making traditional version-tracking difficult. The attack requires an authenticated user (PR:L) with admin or similar privileged access to the admin panel, plus user interaction (UI:P) such as viewing a crafted page, suggesting the XSS payload is stored and triggered when another user accesses the affected data.
Affected ProductsAI
Iqbolshoh php-business-website up to commit 10677743a8dfc281f85291a27cf63a0bce043c24. Due to the rolling release model, no specific version numbers are available; affected systems are identified by Git commit hash rather than version tag. The vulnerability impacts the admin/contact.php module. More information is available at https://vuldb.com/?id.329894.
RemediationAI
No vendor-released patch is available due to unresponsive vendor. Users should: (1) manually review the php-business-website repository (https://github.com/mhszed/Report) for any subsequent commits after 10677743a8dfc281f85291a27cf63a0bce043c24 that may address XSS sanitization in admin/contact.php; (2) implement input validation and output encoding on the twitter parameter using a PHP escaping library (e.g., htmlspecialchars() with ENT_QUOTES flag) to neutralize any stored payloads before display; (3) restrict administrative access to the admin panel via IP whitelisting or network segmentation to limit the attack surface to trusted administrator networks; (4) implement a Web Application Firewall (WAF) rule to detect and block common XSS payloads in form submissions to admin/contact.php; (5) sanitize the database by removing any existing malicious scripts from stored twitter parameter data. A temporary workaround is to disable or hide the twitter parameter field in the admin contact form until sanitization is applied. Note: these mitigations require manual code changes since the vendor is unresponsive.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today