CVE-2018-7465

MEDIUM

VirtueMart < 3.2.14 - Stored Cross-Site Scripting via Backend Textarea Closure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-7465. PoCs published by Mattia Furlani.

AI-analyzed exploit summary This is a writeup describing a persistent XSS vulnerability in VirtueMart before 3.2.14. The exploit involves injecting a closing textarea tag followed by a script tag into a textarea field, which executes when the field is edited again.

Description

An XSS issue was discovered in VirtueMart before 3.2.14. All the textareas in the backend of the plugin can be closed by simply adding </textarea> to the value and saving the product/config. By editing back the product/config, the editor's browser will execute everything after the </textarea>, leading to a possible XSS.

Exploits (1)

exploitdb WRITEUP
by Mattia Furlani · textwebappsphp
https://www.exploit-db.com/exploits/44625

This is a writeup describing a persistent XSS vulnerability in VirtueMart before 3.2.14. The exploit involves injecting a closing textarea tag followed by a script tag into a textarea field, which executes when the field is edited again.

Classification
Writeup 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: VirtueMart before 3.2.14
Auth required
Prerequisites: Access to edit config/products in the admin area
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://imgur.com/a/Hf6JD
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44625/

Scores

CVSS v3 5.4
EPSS 0.0237
EPSS Percentile 81.7%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
virtuemart/virtuemart < 3.2.14
Published Apr 26, 2018
Tracked Since Feb 18, 2026