CVE-2025-47289

CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner (admin) approves the testimonial, the script executes in the context of any user visiting the testimonial page. Because the session cookies are not marked with the `HttpOnly` flag, they can be exfiltrated by the attacker  potentially leading to account takeover. Version 1.1.0.3 fixes the issue.
Cross-site Scripting
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
GitHub_MCNA
6.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 9%
VendorProductVersion
phoenixcartce_phoenix_cart
𝑥
< 1.1.0.3
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://drive.google.com/file/d/1uQAEjewSL9jWWu1UHe47tAnM7U4_x39g/view?usp=drive_link
https://github.com/CE-PhoenixCart/PhoenixCart/security/advisories/GHSA-98qq-m8qj-vvgj
https://github.com/CE-PhoenixCart/PhoenixCart/security/advisories/GHSA-98qq-m8qj-vvgj