Is there a public PoC exploit available for CVE-2025-12231?

Yes, a public proof-of-concept exploit is available for CVE-2025-12231. Prioritise patching immediately. EPSS: 0.0%.

projectworlds Expense Management System CVE-2025-12231

Q: What is the CVSS score of CVE-2025-12231?

CVE-2025-12231 has a CVSS 4.0 base score of 1.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

LOW

Cross-site Scripting (XSS) (CWE-79)

2025-10-27 cna@vuldb.com

XSS Expense Management System

1.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

1.9 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:30 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in projectworlds Expense Management System 1.0. Affected is an unknown function of the file /public/admin/expense_categories/create of the component Expense Categories Page. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.

AnalysisAI

Stored cross-site scripting in projectworlds Expense Management System 1.0 allows high-privileged authenticated users to inject malicious scripts via the Expense Categories creation page, affecting other users who view the poisoned content. The vulnerability requires administrator-level access and user interaction (rendering the page), limiting real-world impact despite remote network delivery. Publicly available exploit code exists; EPSS exploitation probability is very low at 0.03%, suggesting this is primarily a proof-of-concept risk rather than an actively exploited threat.

Technical ContextAI

The vulnerability is a stored cross-site scripting (XSS) flaw (CWE-79) in the Expense Categories Page component, specifically the /public/admin/expense_categories/create endpoint. The underlying issue is insufficient input sanitization or output encoding on the admin interface, allowing attackers with administrative privileges to store unescaped user input that later executes in the browsers of other users viewing the categories list. The attack surface is limited to authenticated administrative users, and the payload persistence mechanism (storage in expense category records) creates a delayed attack vector only when victims access the categorized expense data.

RemediationAI

Primary remediation requires patching to a version beyond 1.0; however, no vendor-released patch version is confirmed in available data. Contact projectworlds directly for an updated release. Immediate compensating controls include: (1) Implement strict input validation and HTML entity encoding on all user inputs to the expense_categories/create endpoint, blocking or escaping special characters like <, >, &, and quotes. (2) Apply Content Security Policy (CSP) headers to restrict script execution origins, mitigating payload execution even if stored. (3) Restrict administrative access to the Expense Categories creation function using role-based access controls, limiting privilege scope to only users who require this function. (4) Enable HTTP-only and Secure flags on session cookies to prevent token theft via XSS. (5) Conduct security code review of the /public/admin/expense_categories/create component and all similar admin forms. See VulDB entry https://vuldb.com/?id.329901 for additional vendor information.

CVE-2025-12231 vulnerability details – vuln.today

Back