CVE-2017-12984
MEDIUMPHPMyWind 5.3 - Stored Cross-Site Scripting in Shopping Cart Message Handling
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2017-12984. PoCs published by 小雨.
AI-analyzed exploit summary The exploit demonstrates a stored XSS vulnerability in PHPMyWind 5.3, where the 'content' parameter is not properly escaped when displayed in the admin panel, allowing arbitrary JavaScript execution.
Description
PHPMyWind 5.3 has XSS in shoppingcart.php, related to message.php, admin/message.php, and admin/message_update.php.
Exploits (1)
exploitdb
WORKING POC
by 小雨 · textwebappsphp
https://www.exploit-db.com/exploits/42535
The exploit demonstrates a stored XSS vulnerability in PHPMyWind 5.3, where the 'content' parameter is not properly escaped when displayed in the admin panel, allowing arbitrary JavaScript execution.
Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
PHPMyWind 5.3
Auth required
Prerequisites:
Access to the admin panel to view the malicious payload
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (2)
Core 2
Core References
Third Party Advisory x_refsource_misc
http://www.yuag.org/2016/08/17/phpmywind_5-3%E5%AD%98%E5%82%A8%E5%9E%8Bxss/
Exploit, Third Party Advisory exploit
x_refsource_exploit-db
https://www.exploit-db.com/exploits/42535/
Scores
CVSS v3
6.1
EPSS
0.0185
EPSS Percentile
76.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (1)
phpmywind/phpmywind
5.3
Published
Aug 21, 2017
Tracked Since
Feb 18, 2026