CVE-2024-39090

MEDIUM

PHPGurukul Online Shopping Portal 2.0 - Cross-Site Request Forgery leading to Stored Cross-Site Scripting

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-39090. PoCs published by ghostwirez.

AI-analyzed exploit summary This repository contains a functional Python script that exploits CVE-2024-39090, a CSRF to Stored XSS vulnerability in PHPGurukul Online Shopping Portal v2.0. The script automates the submission of a malicious XSS payload via a POST request to a vulnerable endpoint.

Description

The PHPGurukul Online Shopping Portal Project version 2.0 contains a vulnerability that allows Cross-Site Request Forgery (CSRF) to lead to Stored Cross-Site Scripting (XSS). An attacker can exploit this vulnerability to execute arbitrary JavaScript code in the context of a user's session, potentially leading to account takeover.

Exploits (1)

nomisec WORKING POC
by ghostwirez · poc
https://github.com/ghostwirez/CVE-2024-39090-PoC

This repository contains a functional Python script that exploits CVE-2024-39090, a CSRF to Stored XSS vulnerability in PHPGurukul Online Shopping Portal v2.0. The script automates the submission of a malicious XSS payload via a POST request to a vulnerable endpoint.

Classification
Working Poc 95%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: PHPGurukul Online Shopping Portal v2.0
No auth needed
Prerequisites: Target URL of the vulnerable endpoint · Network access to the target
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 6.1
EPSS 0.0046
EPSS Percentile 36.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-352
Status published
Products (1)
phpgurukul/online_shopping_portal 2.0
Published Jul 18, 2024
Tracked Since Feb 18, 2026