Skip to main content

Phox Hosting CVE-2026-25013

| EUVDEUVD-2026-15615 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-pp2p-phm2-w3jm
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15615
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:14 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WHMCSdes Phox Hosting phox-host allows Reflected XSS.This issue affects Phox Hosting: from n/a through <= 2.0.8.

AnalysisAI

A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WHMCSdes Phox Hosting plugin (versions up to and including 2.0.8) that allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in the context of a victim's browser session. While no CVSS score, EPSS probability, or active KEV status was provided in available intelligence, the reflected XSS classification indicates moderate-to-high real-world risk depending on deployment context and user interaction requirements.

Technical ContextAI

The vulnerability is classified as Reflected Cross-Site Scripting (CWE-79: Improper Neutralization of Input During Web Page Generation), a category of web application vulnerability where untrusted user input is echoed back into HTML responses without proper sanitization or encoding. The affected product is the Phox Hosting plugin (CPE: cpe:2.3:a:whmcsdes:phox_hosting:*:*:*:*:*:*:*:*) for WHMCS, a web hosting control panel system. Reflected XSS vulnerabilities occur when an application directly incorporates user-supplied parameters (typically from URL query strings or POST data) into dynamically generated web pages without encoding them as HTML entities or applying Content Security Policy (CSP) protections. This allows attackers to craft malicious URLs containing JavaScript payloads that execute when a victim visits the link, potentially compromising session tokens, credentials, or performing unauthorized actions on behalf of the user.

RemediationAI

Upgrade the Phox Hosting plugin to a version newer than 2.0.8 immediately; check the vendor's official update channel or the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/phox-host/vulnerability/wordpress-phox-hosting-plugin-2-0-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) for the latest patched version and installation instructions. Until patching is completed, implement the following mitigations: enforce HTTPS-only access to the Phox Hosting admin interface via web server configuration, deploy a Web Application Firewall (WAF) with rules to detect and block common XSS payloads, apply strict Content Security Policy (CSP) headers to restrict inline script execution, and limit access to the hosting control panel to trusted IP ranges or require VPN access. Additionally, educate administrators and staff not to click on untrusted links or share control panel URLs from external sources, as reflected XSS requires user interaction to be triggered.

Share

CVE-2026-25013 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy