projectworlds Gate Pass Management System CVE-2025-12227
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in projectworlds Gate Pass Management System 1.0. The affected element is an unknown function of the file /add-pass.php. Executing a manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
Stored cross-site scripting (XSS) in projectworlds Gate Pass Management System 1.0 allows authenticated users to inject malicious scripts via the /add-pass.php endpoint, which execute in the browsers of other users who view the affected content. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), limiting its scope to reflected or stored XSS within an authenticated session. Publicly available exploit code exists, though EPSS exploitation probability remains very low at 0.03%, suggesting limited real-world weaponization despite public disclosure.
Technical ContextAI
The vulnerability resides in the /add-pass.php file of a PHP-based gate pass management application. CWE-79 (Improper Neutralization of Input During Web Page Generation, 'Cross-site Scripting') indicates the root cause is insufficient input validation or output encoding when processing user-supplied data. The affected parameter in /add-pass.php fails to sanitize or escape input before rendering it in HTTP responses, allowing an authenticated attacker to craft malicious payloads (typically JavaScript) that execute in victim browsers. The attack vector is network-based (AV:N), but requires prior authentication (PR:L) and user interaction (UI:P), such as a victim clicking a crafted link or visiting a page containing the injected payload.
RemediationAI
No vendor-released patch has been identified at the time of analysis; projectworlds has not published a fixed version in available advisories. Immediate remediation requires upgrading to a patched version if released by the vendor, or implementing application-level input validation and output encoding. Specific compensating controls: (1) Implement strict input validation on all parameters processed by /add-pass.php using a whitelist of allowed characters and formats; (2) Apply HTML entity encoding or context-aware escaping to all user-supplied data before rendering in HTML responses using a library such as OWASP ESAPI or equivalent; (3) Deploy a Web Application Firewall (WAF) rule to block requests containing common XSS payloads (script tags, event handlers, JavaScript protocols); (4) Enforce Content Security Policy (CSP) headers to restrict inline script execution and limit script sources to trusted domains, which mitigates the impact of XSS even if injection succeeds; (5) Restrict access to the /add-pass.php endpoint via role-based access control (RBAC), limiting authenticated users to only those with a legitimate business need. Monitor application logs for suspicious input patterns or encoding attempts in add-pass parameters.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today