CVE-2025-12224
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A flaw has been found in Iqbolshoh php-business-website up to 10677743a8dfc281f85291a27cf63a0bce043c24. This vulnerability affects unknown code of the file admin/contact.php. This manipulation of the argument twitter causes cross site scripting. The attack may be initiated remotely. The exploit has been published and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. Other parameters might be affected as well. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2026-04-29
Generated
2026-05-07
AI Q&A
2025-10-27
EPSS Evaluated
2026-05-05
NVD
CVE-2025-12224
EUVD
EUVD-2025-36075
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
iqbolshoh php-business-website *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a cross-site scripting (XSS) flaw in the Iqbolshoh php-business-website software, specifically in the admin/contact.php file. It occurs because the twitter parameter is not properly neutralized, allowing an attacker to inject malicious scripts. When exploited, these scripts run in the context of a victim's browser, potentially leading to unauthorized actions. The attack can be initiated remotely but requires user interaction to succeed. [1]


How can this vulnerability impact me? :

The vulnerability can impact you by allowing attackers to execute arbitrary scripts in users' browsers when they interact with the affected page. This can lead to session hijacking, defacement, or other malicious activities that compromise the integrity of the web application. However, it does not affect confidentiality or availability directly. Exploitation requires user interaction and can be performed remotely. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by identifying instances of the vulnerable software exposing the affected file admin/contact.php. One suggested method is using Google dorking with queries such as `inurl:admin/contact.php` to find potentially vulnerable endpoints. Additionally, inspecting HTTP requests that include the twitter parameter in admin/contact.php for suspicious or malicious script content can help detect exploitation attempts. There is a publicly available proof-of-concept exploit on GitHub that can be used to test for the vulnerability. [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include replacing the vulnerable php-business-website software with an alternative solution, as no patches or countermeasures are currently available. Since the product uses a rolling release model and no specific fixed versions exist, upgrading may not resolve the issue. Additionally, restricting access to the admin/contact.php page and sanitizing or validating the twitter parameter input to prevent script injection can help reduce risk. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart