CVE-2025-47289

MEDIUM

CE Phoenix Cart 1.0.9.9-1.1.0.2 - Stored Cross-Site Scripting in Testimonial Description Field

Title source: llm
STIX 2.1

Description

CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner (admin) approves the testimonial, the script executes in the context of any user visiting the testimonial page. Because the session cookies are not marked with the `HttpOnly` flag, they can be exfiltrated by the attacker — potentially leading to account takeover. Version 1.1.0.3 fixes the issue.

References (2)

Core 2

Scores

CVSS v3 6.3
EPSS 0.0022
EPSS Percentile 12.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-1004 CWE-79
Status published
Products (1)
phoenixcart/ce_phoenix_cart < 1.1.0.3
Published Jun 02, 2025
Tracked Since Feb 18, 2026