code-projects E-Commerce Website CVE-2025-12335
LOWSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A vulnerability was determined in code-projects E-Commerce Website 1.0. Affected by this vulnerability is an unknown functionality of the file /pages/supplier_update.php. This manipulation of the argument supp_name/supp_address causes cross site scripting. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
AnalysisAI
Stored cross-site scripting (XSS) in code-projects E-Commerce Website 1.0 allows remote attackers to inject malicious scripts via the supp_name or supp_address parameters in /pages/supplier_update.php. Exploitation requires user interaction (clicking a malicious link) but no authentication. Publicly available exploit code exists; real-world exploitation risk is low (EPSS 0.04%, CVSS 2.1) due to limited scope and required user interaction, but the vulnerability is disclosed and weaponizable.
Technical ContextAI
The vulnerability is a reflected or stored cross-site scripting (XSS) flaw in a PHP-based e-commerce application. The /pages/supplier_update.php endpoint accepts user-supplied input in the supp_name and supp_address parameters without proper sanitization or encoding before rendering to the browser or storing in a database. This violates CWE-79 (Improper Neutralization of Input During Web Page Generation). The attack vector is network-based (AV:N), complexity is low (AC:L), and requires user interaction (UI:P) - likely clicking a crafted link containing malicious JavaScript payloads. The impact is limited to integrity (VI:L), affecting only the confidentiality or visual presentation of the affected user's session, not the broader system.
RemediationAI
No vendor-released patch is identified at time of analysis. The primary mitigation is to upgrade from version 1.0 if a patched version becomes available from the code-projects maintainer (check https://code-projects.org/). Until a patch exists, implement immediate input validation and output encoding: ensure all user input to supp_name and supp_address parameters is validated against a whitelist of allowed characters (alphanumeric, spaces, hyphens) and reject or sanitize special characters such as < > " ' &. Apply context-aware HTML entity encoding (e.g., htmlspecialchars() in PHP with ENT_QUOTES flag) to all output rendered in /pages/supplier_update.php. Alternatively, disable the supplier update functionality entirely if not business-critical, or restrict access to this endpoint by IP whitelist or require strong authentication (multi-factor if possible) to reduce user interaction risk. Implement Content Security Policy (CSP) headers to mitigate the impact of injected scripts. Monitor web server logs for requests containing JavaScript patterns (script, onerror, onload, etc.) in these parameters to detect exploitation attempts.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today