Platform
php
Component
report
Fixed in
10677743.0.1
CVE-2025-12224 describes a cross-site scripting (XSS) vulnerability discovered in php-business-website, affecting versions up to 10677743a8dfc281f85291a27cf63a0bce043c24. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. A fix is available in version 10677743.0.1.
The XSS vulnerability in php-business-website allows an attacker to inject arbitrary JavaScript code into the application's web pages. This can be exploited to steal user cookies, redirect users to malicious websites, or deface the website. Successful exploitation could lead to unauthorized access to sensitive data, including user credentials and personal information. Because the vulnerability is triggered by manipulating the 'twitter' argument, attackers could craft malicious links or inject scripts through user input fields that are reflected in the application's output. The remote nature of the exploit increases the potential attack surface.
A public proof-of-concept (PoC) for CVE-2025-12224 has been published, indicating a relatively high likelihood of exploitation. The vulnerability was disclosed on 2025-10-27. The vendor was notified prior to public disclosure. The CVSS score is LOW, suggesting the exploit may require specific conditions or user interaction to be successful, but the availability of a PoC increases the risk.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-12224 is to upgrade php-business-website to version 10677743.0.1 or later. Given the rolling release model of this product, continuous updates are expected. If immediate upgrading is not possible, consider implementing input validation and output encoding on the 'twitter' parameter in admin/contact.php to sanitize user-supplied data. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. Regularly review and update your WAF rules to ensure they are effective against emerging threats.
Update to a patched version of the php-business-website software. Because the vendor is not responding, review the source code of admin/contact.php and filter/escape the input of the 'twitter' parameter to prevent cross site scripting (XSS) code injection. Consider disabling or removing the component if it cannot be updated or patched securely.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12224 is a cross-site scripting (XSS) vulnerability in php-business-website versions up to 10677743a8dfc281f85291a27cf63a0bce043c24, allowing attackers to inject malicious scripts.
You are affected if you are using php-business-website versions prior to 10677743.0.1 and have not implemented mitigating controls.
Upgrade to php-business-website version 10677743.0.1 or later. Implement input validation and output encoding as a temporary workaround.
A public proof-of-concept exists, suggesting a potential for active exploitation.
Contact the vendor directly for the official advisory, as specific version information is not readily available due to the rolling release model.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.