Is there a public PoC exploit available for CVE-2025-12230?

Yes, a public proof-of-concept exploit is available for CVE-2025-12230. Prioritise patching immediately. EPSS: 0.0%.

projectworlds Expense Management System CVE-2025-12230

Q: What is the CVSS score of CVE-2025-12230?

CVE-2025-12230 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-10-27 cna@vuldb.com

XSS Expense Management System

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:30 vuln.today

DescriptionCVE.org

A weakness has been identified in projectworlds Expense Management System 1.0. This impacts an unknown function of the file /public/admin/currencies/create of the component Currency Page. This manipulation causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.

AnalysisAI

Stored cross-site scripting (XSS) in projectworlds Expense Management System 1.0 allows authenticated users with high privileges to inject malicious scripts via the Currency Page create function (/public/admin/currencies/create), which are then reflected to other users who interact with that page. The vulnerability requires user interaction and high-level administrative privileges to exploit, resulting in limited real-world risk despite public exploit availability and low EPSS score.

Technical ContextAI

The vulnerability is a reflected or stored XSS flaw (CWE-79) in the Currency Page component of the Expense Management System's administrative interface. The affected endpoint /public/admin/currencies/create fails to properly sanitize or encode user input before rendering it in HTML responses. The CVSSv4.0 vector indicates network-accessible attack surface (AV:N) with low complexity (AC:L), but exploitation is gated by high privilege requirements (PR:H), meaning only administrative or highly privileged users can initiate the attack, and user interaction (UI:P) is required for payload execution. The CPE string cpe:2.3:a:projectworlds:expense_management_system:1.0:*:*:*:*:*:*:* confirms the specific product and version affected.

RemediationAI

Upgrade to a patched version of projectworlds Expense Management System if available from the vendor. If an upgrade path does not exist, implement input validation and output encoding on the /public/admin/currencies/create endpoint to sanitize all user-supplied data before rendering in HTML context; use context-aware encoding (HTML entity encoding for HTML content, JavaScript escaping for script contexts) rather than blacklist-based filtering. Additionally, enforce Content Security Policy (CSP) headers with strict-dynamic and nonce-based script execution to prevent inline script execution even if XSS payloads are injected. Restrict access to the currency management functionality to the minimum set of administrators, implement session timeout for administrative accounts, and enable comprehensive audit logging of changes to currency configurations. No vendor-released patch version is independently confirmed at time of analysis; consult projectworlds support directly for availability.

CVE-2025-12230 vulnerability details – vuln.today

Back