CVE-2025-12298
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was identified in code-projects Simple Food Ordering System 1.0. This affects an unknown part of the file /editcategory.php. The manipulation of the argument pname leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-10-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12298
EUVD
EUVD-2025-36227
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fabian simple_food_ordering_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-12298 is a stored Cross-Site Scripting (XSS) vulnerability in the Simple Food Ordering System 1.0, specifically in the editcategory.php file. It occurs because the pname parameter is not properly sanitized or encoded before being stored and later displayed. This allows attackers to inject malicious JavaScript code that is permanently stored on the server and executed in the browsers of users who visit the affected page. The vulnerability arises during the update or edit functionality where user input is accepted and stored without adequate sanitization and later rendered without proper output encoding, enabling persistent script execution. [1]

Impact Analysis

Exploitation of this vulnerability can lead to session hijacking, account takeover, data theft, phishing attacks, malware distribution, defacement, and complete compromise of user accounts. It affects all major browsers and can cause significant security breaches, reputation damage, business disruption, and potential regulatory fines. [1]

Compliance Impact

This vulnerability can lead to regulatory fines under standards like GDPR due to data theft and unauthorized access resulting from session hijacking and account compromise. The presence of such a security flaw indicates non-compliance with data protection and security requirements mandated by regulations such as GDPR and HIPAA, which require adequate protection of user data and prevention of unauthorized access. [1]

Detection Guidance

This vulnerability can be detected by testing the 'pname' parameter in the 'editcategory.php' file for stored Cross-Site Scripting (XSS). You can send a POST request with a malicious payload such as `<script>alert(1)</script>` to the 'editcategory.php' endpoint and observe if the script executes when the page is reloaded or revisited. For example, using curl: `curl -X POST -F "pname=<script>alert(1)</script>" http://targetsite/editcategory.php` and then accessing the page to see if the alert box appears. Additionally, monitoring network traffic for suspicious script injections or checking server logs for unusual input in the 'pname' parameter can help detect exploitation attempts. Deploying a Web Application Firewall (WAF) with XSS detection rules can also aid in identifying attacks. [1]

Mitigation Strategies

Immediate mitigation steps include implementing context-aware output encoding such as using PHP's `htmlspecialchars` function when displaying user input to prevent script execution. Additionally, enforce strict Content Security Policy (CSP) headers with nonce or hash-based inline script restrictions to limit script execution. Validate inputs using whitelists for expected data types and lengths to reduce malicious input. Use security headers like X-Content-Type-Options, X-Frame-Options, and X-XSS-Protection. Deploy Web Application Firewalls (WAF) to detect and block XSS attempts. Longer-term measures include adopting modern web frameworks with built-in XSS protections, conducting developer security training, automated security testing, and regular security audits. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12298. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart