Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WHMCSdes Phox Hosting phox-host allows Reflected XSS.This issue affects Phox Hosting: from n/a through <= 2.0.8.
AnalysisAI
A Reflected Cross-Site Scripting (XSS) vulnerability exists in the WHMCSdes Phox Hosting plugin (versions up to and including 2.0.8) that allows attackers to inject malicious scripts into web pages viewed by other users. The vulnerability stems from improper neutralization of user input during web page generation (CWE-79), enabling attackers to execute arbitrary JavaScript in the context of a victim's browser session. While no CVSS score, EPSS probability, or active KEV status was provided in available intelligence, the reflected XSS classification indicates moderate-to-high real-world risk depending on deployment context and user interaction requirements.
Technical ContextAI
The vulnerability is classified as Reflected Cross-Site Scripting (CWE-79: Improper Neutralization of Input During Web Page Generation), a category of web application vulnerability where untrusted user input is echoed back into HTML responses without proper sanitization or encoding. The affected product is the Phox Hosting plugin (CPE: cpe:2.3:a:whmcsdes:phox_hosting:*:*:*:*:*:*:*:*) for WHMCS, a web hosting control panel system. Reflected XSS vulnerabilities occur when an application directly incorporates user-supplied parameters (typically from URL query strings or POST data) into dynamically generated web pages without encoding them as HTML entities or applying Content Security Policy (CSP) protections. This allows attackers to craft malicious URLs containing JavaScript payloads that execute when a victim visits the link, potentially compromising session tokens, credentials, or performing unauthorized actions on behalf of the user.
RemediationAI
Upgrade the Phox Hosting plugin to a version newer than 2.0.8 immediately; check the vendor's official update channel or the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/phox-host/vulnerability/wordpress-phox-hosting-plugin-2-0-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve) for the latest patched version and installation instructions. Until patching is completed, implement the following mitigations: enforce HTTPS-only access to the Phox Hosting admin interface via web server configuration, deploy a Web Application Firewall (WAF) with rules to detect and block common XSS payloads, apply strict Content Security Policy (CSP) headers to restrict inline script execution, and limit access to the hosting control panel to trusted IP ranges or require VPN access. Additionally, educate administrators and staff not to click on untrusted links or share control panel URLs from external sources, as reflected XSS requires user interaction to be triggered.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15615
GHSA-pp2p-phm2-w3jm