CVE-2025-15583
Received Received - Intake
Cross-Site Scripting in detronetdip E-commerce get_safe_value

Publication date: 2026-02-20

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in detronetdip E-commerce 1.0.0. This affects the function get_safe_value of the file utility/function.php. Executing a manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-20
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2025-15583
EUVD
EUVD-2025-207628
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
detronetdip e-commerce 1.0.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2025-15583 is a Stored Cross-Site Scripting (XSS) vulnerability in detronetdip E-commerce version 1.0.0, specifically in the function get_safe_value located in utility/function.php.'}, {'type': 'paragraph', 'content': 'The vulnerability arises because get_safe_value uses mysqli_real_escape_string() to sanitize inputs, which only protects against SQL injection but does not encode HTML entities like < or >. This allows attackers to inject malicious JavaScript code into product-related fields such as product_name or description.'}, {'type': 'paragraph', 'content': "The malicious payload is stored persistently in the database and executes when an administrator views product list or approval pages in the backend dashboard, running the script in the administrator's browser session."}, {'type': 'paragraph', 'content': 'Exploitation can be done remotely by sending crafted POST requests to endpoints like seller/assets/backend/product/updateproduct.php, leveraging an Insecure Direct Object Reference (IDOR) vulnerability to inject the payload.'}, {'type': 'paragraph', 'content': 'The root cause is improper input sanitization and lack of proper output encoding, which allows execution of injected scripts in the browser.'}] [1, 2, 3]

Impact Analysis

This vulnerability can have several serious impacts:

  • Session Hijacking: Attackers can steal administrator session cookies (PHPSESSID) via injected scripts, enabling full account takeover.
  • Persistent Malware: The malicious script executes every time the affected page loads, allowing repeated infections.
  • Phishing and Defacement: Attackers can manipulate the webpage DOM to display fake login forms or misleading content, potentially tricking administrators.

Overall, this can lead to compromise of administrative accounts, unauthorized access, data manipulation, and loss of trust in the application.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to inject a JavaScript payload into product-related fields such as product_name or description via the endpoint seller/assets/backend/product/updateproduct.php. A practical detection method involves sending a crafted POST request with a script payload and observing if the payload is stored and executed when the administrator views the product list or approval pages.'}, {'type': 'paragraph', 'content': 'An example command to test for this vulnerability is using curl to send a POST request with a JavaScript payload in the product name field:'}, {'type': 'list_item', 'content': 'curl -X POST -H "Cookie: PHPSESSID=[Session_ID]" -d "id=10" -d "name=<script>alert(\'XSS_ADMIN_TAKEOVER\')</script>" -d "price=1000" -d "sellprice=1" -d "quantity=10" "http://localhost:3000/seller/assets/backend/product/updateproduct.php"'}, {'type': 'paragraph', 'content': 'If the payload is stored and triggers an alert or executes when the administrator accesses the backend pages, the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Additionally, vulnerable instances can be identified using Google dorking techniques such as searching for inurl:utility/function.php to find affected installations.'}] [1, 2, 3]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation involves implementing proper output encoding when displaying user-controllable data in HTML contexts rather than relying solely on input sanitization.'}, {'type': 'paragraph', 'content': 'Specifically, continue using mysqli_real_escape_string() to prevent SQL injection, but apply htmlspecialchars() with appropriate flags (such as ENT_QUOTES and UTF-8 encoding) when outputting data to the browser. For example:'}, {'type': 'list_item', 'content': "echo htmlspecialchars($row['product_name'], ENT_QUOTES, 'UTF-8');"}, {'type': 'paragraph', 'content': "This ensures that HTML entities are encoded, preventing execution of injected scripts in the administrator's browser."}, {'type': 'paragraph', 'content': 'Since no official patch or response has been provided by the project maintainers, consider replacing the affected software with an alternative product if immediate code changes are not feasible.'}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15583. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart