CVE-2025-60503

HIGH

UltimatePOS 4.8 - Authenticated Stored Cross-Site Scripting via Purchase Reference No. Field

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-60503. PoCs published by H4zaz.

AI-analyzed exploit summary This repository provides a detailed technical analysis of a stored XSS vulnerability in UltimatePOS v4.8, specifically in the 'Reference No.' field of the Purchases module, which is rendered unsanitized in the Activity Log. The writeup includes a step-by-step PoC, impact assessment, and mitigation recommendations.

Description

A cross-site scripting (XSS) vulnerability exists in the administrative interface of ultimatefosters UltimatePOS 4.8 where input submitted in the purchase functionality is reflected without proper escaping in the admin log panel page in the 'reference No.' field. This flaw allows an authenticated attacker to execute arbitrary JavaScript in the context of an administrator's browser session, which could lead to session hijacking or other malicious actions.

Exploits (1)

nomisec WRITEUP
by H4zaz · poc
https://github.com/H4zaz/CVE-2025-60503

This repository provides a detailed technical analysis of a stored XSS vulnerability in UltimatePOS v4.8, specifically in the 'Reference No.' field of the Purchases module, which is rendered unsanitized in the Activity Log. The writeup includes a step-by-step PoC, impact assessment, and mitigation recommendations.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: UltimatePOS v4.8
Auth required
Prerequisites: admin access to UltimatePOS
devstral-2 · analyzed May 07, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 8.7
EPSS 0.0033
EPSS Percentile 24.3%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
ultimatefosters/ultimatepos 4.8
Published Nov 03, 2025
Tracked Since Feb 18, 2026