abhicodebox ModernShop CVE-2025-12267
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A flaw has been found in abhicodebox ModernShop 20250922. This issue affects some unknown processing of the file /search. Executing manipulation of the argument q can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used.
AnalysisAI
Cross-site scripting (XSS) vulnerability in abhicodebox ModernShop 20250922 allows remote attackers to inject malicious scripts via the 'q' parameter in the /search endpoint, requiring user interaction to execute. The vulnerability has a published exploit and low CVSS score (2.1) due to user interaction requirement, but affects the integrity of victim sessions with EPSS exploitation probability of 0.03% indicating minimal real-world exploitation likelihood.
Technical ContextAI
The vulnerability exists in the search functionality of ModernShop, a PHP-based e-commerce platform. The /search endpoint fails to properly sanitize or encode user-supplied input in the 'q' query parameter before reflecting it in HTTP responses. This is a classic reflected cross-site scripting (CWE-79) flaw where untrusted user input is directly output to the browser without HTML encoding, allowing attackers to inject arbitrary JavaScript code that executes in the context of the victim's browser session.
Affected ProductsAI
abhicodebox ModernShop version 20250922 is confirmed affected. The vulnerability exists in the search functionality endpoint. Additional version information and product CPE details are not available from the provided data, limiting assessment of version range or upgrade path.
RemediationAI
No vendor-released patch identified at time of analysis. Immediate mitigation requires input validation and output encoding: implement HTML entity encoding on all user-supplied input reflected in HTTP responses, particularly the 'q' parameter in the /search endpoint using functions appropriate to the output context (e.g., htmlspecialchars() in PHP). Apply content security policy (CSP) headers with script-src directives to restrict inline script execution, reducing payload effectiveness even if XSS injection succeeds. Consider input whitelisting for the search parameter to allow only alphanumeric characters and spaces. For organizations unable to patch immediately, disable the /search endpoint if not critical to business operations, or require authentication before search access. Review the Codester platform advisory at https://www.codester.com/items/comments/58847/modern-shop-php-ecommerce-platform for vendor guidance and monitor for official patches from abhicodebox.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today