code-projects E-Commerce Website CVE-2025-12334
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was found in code-projects E-Commerce Website 1.0. Affected is an unknown function of the file /pages/product_add.php. The manipulation of the argument prod_name/prod_desc/prod_cost results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used.
AnalysisAI
Reflected cross-site scripting (XSS) in code-projects E-Commerce Website 1.0 allows remote attackers to inject malicious scripts via the prod_name, prod_desc, or prod_cost parameters in /pages/product_add.php. The vulnerability requires user interaction (UI:P per CVSS 4.0) but can be exploited remotely without authentication. Publicly available exploit code exists, though EPSS scoring (0.04%, percentile 11%) indicates low real-world exploitation probability despite public POC availability.
Technical ContextAI
This is a stored or reflected XSS vulnerability (CWE-79) in a PHP-based e-commerce application. The vulnerability exists in the product addition functionality (/pages/product_add.php) where user-supplied input in the prod_name, prod_desc, and prod_cost parameters is not properly sanitized or escaped before output to the browser. The PHP application likely fails to implement output encoding (e.g., htmlspecialchars() or context-aware escaping) or input validation, allowing attacker-controlled HTML/JavaScript to execute in victim browsers. The network-accessible endpoint and lack of authentication requirements (PR:N) mean any remote user can craft malicious requests, though successful exploitation depends on a victim clicking a malicious link (UI:P).
RemediationAI
No vendor-released patch identified at time of analysis. The project appears abandoned or unmaintained based on available information. Immediate remediation requires manual code changes to /pages/product_add.php: implement input validation to reject or sanitize the prod_name, prod_desc, and prod_cost parameters (whitelist expected formats), and apply output encoding using htmlspecialchars() or a templating engine with auto-escaping before rendering these values in HTML context. If source code modification is not feasible, deploy a WAF (Web Application Firewall) rule to block requests containing script tags or HTML entities in these parameters. Restrict administrative access to the /pages/product_add.php endpoint via IP allowlisting or require multi-factor authentication to reduce user interaction attack surface. Long-term: migrate to a maintained e-commerce platform with security updates.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today