CVE-2024-58296

MEDIUM

CE Phoenix - Stored Cross-Site Scripting in Currencies Administration Panel

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-58296. PoCs published by tmrswrr.

AI-analyzed exploit summary This exploit demonstrates a stored XSS vulnerability in CE Phoenix by injecting a malicious SVG payload into the 'Title' field of the currencies.php admin panel. The payload triggers an alert when the page is reloaded, confirming the vulnerability.

Description

CE Phoenix v3.0.1 contains a stored cross-site scripting vulnerability in the currencies administration panel that allows attackers to inject malicious scripts. Attackers can insert XSS payloads in the title field to execute arbitrary JavaScript when administrators view the currencies page.

Exploits (1)

exploitdb WORKING POC
by tmrswrr · textwebappsphp
https://www.exploit-db.com/exploits/52015

This exploit demonstrates a stored XSS vulnerability in CE Phoenix by injecting a malicious SVG payload into the 'Title' field of the currencies.php admin panel. The payload triggers an alert when the page is reloaded, confirming the vulnerability.

Classification
Working Poc 90%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: CE Phoenix Version 1.0.8.20
Auth required
Prerequisites: Admin access to the target application
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

CVSS v4 5.3
EPSS 0.0007
EPSS Percentile 21.3%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
PhoenixCart/CE Phoenix 1.0.8.20
Published Dec 11, 2025
Tracked Since Feb 18, 2026