Skip to main content

abhicodebox ModernShop CVE-2025-12267

LOW
Cross-site Scripting (XSS) (CWE-79)
2025-10-27 cna@vuldb.com
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

1
Analysis Generated
Apr 29, 2026 - 01:36 vuln.today

DescriptionCVE.org

A flaw has been found in abhicodebox ModernShop 20250922. This issue affects some unknown processing of the file /search. Executing manipulation of the argument q can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used.

AnalysisAI

Cross-site scripting (XSS) vulnerability in abhicodebox ModernShop 20250922 allows remote attackers to inject malicious scripts via the 'q' parameter in the /search endpoint, requiring user interaction to execute. The vulnerability has a published exploit and low CVSS score (2.1) due to user interaction requirement, but affects the integrity of victim sessions with EPSS exploitation probability of 0.03% indicating minimal real-world exploitation likelihood.

Technical ContextAI

The vulnerability exists in the search functionality of ModernShop, a PHP-based e-commerce platform. The /search endpoint fails to properly sanitize or encode user-supplied input in the 'q' query parameter before reflecting it in HTTP responses. This is a classic reflected cross-site scripting (CWE-79) flaw where untrusted user input is directly output to the browser without HTML encoding, allowing attackers to inject arbitrary JavaScript code that executes in the context of the victim's browser session.

Affected ProductsAI

abhicodebox ModernShop version 20250922 is confirmed affected. The vulnerability exists in the search functionality endpoint. Additional version information and product CPE details are not available from the provided data, limiting assessment of version range or upgrade path.

RemediationAI

No vendor-released patch identified at time of analysis. Immediate mitigation requires input validation and output encoding: implement HTML entity encoding on all user-supplied input reflected in HTTP responses, particularly the 'q' parameter in the /search endpoint using functions appropriate to the output context (e.g., htmlspecialchars() in PHP). Apply content security policy (CSP) headers with script-src directives to restrict inline script execution, reducing payload effectiveness even if XSS injection succeeds. Consider input whitelisting for the search parameter to allow only alphanumeric characters and spaces. For organizations unable to patch immediately, disable the /search endpoint if not critical to business operations, or require authentication before search access. Review the Codester platform advisory at https://www.codester.com/items/comments/58847/modern-shop-php-ecommerce-platform for vendor guidance and monitor for official patches from abhicodebox.

Share

CVE-2025-12267 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy