CVE-2025-8167
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-25

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was found in code-projects Church Donation System 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/edit_members.php. The manipulation of the argument fname leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. Other parameters might be affected as well.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-25
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2025-07-25
EPSS Evaluated
2026-05-05
NVD
CVE-2025-8167
EUVD
EUVD-2025-22751
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
carmelo church_donation_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-8167 is a stored Cross-Site Scripting (XSS) vulnerability in the Church Donation System 1.0, specifically in the /admin/edit_members.php file. It occurs because the 'fname' parameter is not properly sanitized, allowing an attacker to inject malicious JavaScript code that is permanently stored on the server. This malicious script executes whenever the affected member's details are viewed, enabling persistent XSS attacks. [1, 3]


How can this vulnerability impact me? :

This vulnerability allows attackers to execute arbitrary JavaScript code in the context of the affected web application. This can lead to unauthorized actions, data manipulation, and potentially compromise the integrity of the system. Since the malicious script is stored and executed whenever the affected data is viewed, all users including administrators are at risk. The attack can be launched remotely and requires some user interaction. [1, 2, 3]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking for the presence of malicious JavaScript payloads in the 'fname' parameter of POST requests to the /admin/edit_members.php endpoint. You can use web application scanning tools or manual inspection to identify stored XSS payloads. Additionally, Google dorking with queries like "inurl:admin/edit_members.php" can help identify vulnerable instances. For command-line detection, you might use curl to send test POST requests with XSS payloads and observe responses or stored data. Example command: curl -X POST -d "fname=<img src=1 onerror=alert('XSS')>" https://your-target/admin/edit_members.php?id=someid [2, 3]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include sanitizing and validating all user inputs, especially the 'fname' parameter in /admin/edit_members.php, to prevent injection of malicious scripts. Since no known countermeasures are documented, it is recommended to replace the affected software with an alternative product. Additionally, restricting access to the admin interface and applying web application firewall (WAF) rules to block suspicious input patterns can help reduce risk. [3]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart