DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-12334: CVE-2025-12334: The 'Add Product' Feature That Adds Malware Instead

#security #cve #cybersecurity

CVE-2025-12334: The 'Add Product' Feature That Adds Malware Instead

Vulnerability ID: CVE-2025-12334
CVSS Score: 6.1
Published: 2025-10-27

A classic Stored Cross-Site Scripting (XSS) vulnerability in code-projects E-Commerce Website 1.0 allows unauthenticated attackers to inject malicious JavaScript into product listings. This creates a persistent trap for any user—including administrators—who views the infected product pages.

TL;DR

The 'E-Commerce Website 1.0' platform by code-projects allows anyone to add products via the /pages/product_add.php endpoint without proper authentication or input sanitization. Attackers can inject arbitrary JavaScript into the prod_name, prod_desc, or prod_cost fields. When a victim (like an admin) views the product list, the script executes, potentially leading to session hijacking or account takeover.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79 (Cross-Site Scripting)
  • CVSS v3.1: 4.3 (Medium)
  • CVSS v4.0: 5.3 (Medium)
  • Attack Vector: Network (Remote)
  • Attack Complexity: Low
  • Privileges Required: None (Unauthenticated)
  • Exploit Status: Public PoC Available

Affected Systems

  • code-projects E-Commerce Website 1.0
  • E-Commerce Website: = 1.0 (Fixed in: None)

Exploit Details

  • Figshare: Public Proof of Concept containing screenshot and payload details.

Mitigation Strategies

  • Implement Context-Aware Output Encoding
  • Enforce Strict Input Validation (Allow-listing)
  • Deploy Content Security Policy (CSP)
  • Restrict Access to Administrative Endpoints

Remediation Steps:

  1. Locate pages/product_add.php and add authentication checks at the top of the file.
  2. Locate all view files (e.g., product_list.php) where user data is displayed.
  3. Wrap all echo or print statements outputting user data with htmlspecialchars($var, ENT_QUOTES, 'UTF-8').
  4. Validate prod_cost to ensure it is numeric using is_numeric() or type casting.

References

Read the full report for CVE-2025-12334 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)