code-projects E-Commerce Website CVE-2025-12333
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability has been found in code-projects E-Commerce Website 1.0. This impacts an unknown function of the file /pages/supplier_add.php. The manipulation of the argument supp_name/supp_address leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
AnalysisAI
Reflected cross-site scripting (XSS) in code-projects E-Commerce Website 1.0 allows remote attackers to inject malicious scripts via the supp_name and supp_address parameters in /pages/supplier_add.php. The vulnerability requires user interaction (clicking a crafted link) but enables session hijacking, credential theft, and malware distribution. Publicly available exploit code exists; however, the EPSS score of 0.04% (11th percentile) indicates exploitation remains uncommon despite disclosure, likely due to limited deployment of this niche e-commerce platform.
Technical ContextAI
The vulnerability is a reflected XSS flaw (CWE-79: Improper Neutralization of Input During Web Page Generation) in a PHP-based e-commerce application. The supplier management endpoint /pages/supplier_add.php fails to sanitize or encode user-supplied input in the supp_name and supp_address parameters before reflecting them in HTTP responses. Attackers craft malicious URLs containing JavaScript payloads that execute in the victim's browser within the application's security context, bypassing the same-origin policy when the victim is authenticated. The affected product is code-projects E-Commerce Website version 1.0, as identified by CPE cpe:2.3:a:fabian:e-commerce_website:1.0:*:*:*:*:*:*:*.
RemediationAI
No vendor-released patch has been identified at time of analysis. Immediate workarounds include: implementing input validation and output encoding for the supp_name and supp_address parameters using HTML entity encoding or context-aware escaping libraries (such as OWASP ESAPI or htmlspecialchars() in PHP with ENT_QUOTES flag); deploying a Web Application Firewall (WAF) rule to block requests containing JavaScript keywords or script tags in supplier-related parameters; restricting access to /pages/supplier_add.php to authenticated users only and enforcing CSRF tokens; and enabling Content Security Policy (CSP) headers to prevent inline script execution. If the affected application is mission-critical and cannot be removed, apply a custom patch to the supplier_add.php file sanitizing input before output. Consider upgrading to a maintained e-commerce platform if this product is no longer actively developed by the vendor.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today