Wisenshop - Stored XSS

2025.11.01
Credit: CraCkEr
Risk: Low
Local: No
Remote: Yes
CVE: CVE-2025-12264
CWE: CWE-79 - CWE-94 - CWE-74

# Exploit Title: Wisenshop - Stored XSS # Exploit Author: CraCkEr # Date: 11-10-2025 # Author of Script: Wisencode Infotech # Vendor: Wisencode Infotech # Vendor Homepage: https://www.codester.com/items/53007/wisenshop-ecommerce-store-script # Software Link: https://default-theme.wisenshop.com/ # Demo Link: https://default-theme.wisenshop.com/ # Tested on: Windows 11 Pro # Impact: Manipulate the content of the site # CWE: CWE-79 - CWE-94 - CWE-74 # VDB: VDB-329935 # CVE: CVE-2025-12264 ## Description Attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials ## Steps to Reproduce the Stored XSS Vulnerability: 1. Register on the target website as a standard user. 2. Log in using your newly created credentials. 3. Navigate to the Profile page: https://default-theme.wisenshop.com/profile 4. Click on "Create a Support Ticket" to access the ticket submission form: https://default-theme.wisenshop.com/support-ticket/create 5. Fill in arbitrary values for Email and Subject, and inject a malicious XSS payload into the Message field. 6. Submit the support ticket. 7. Log in as an admin and navigate to the Support Tickets section in the backend panel: https://default-theme.wisenshop.com/backend/tickets 8. Upon viewing the submitted ticket, the XSS payload executes in the admin’s browser. [-] Done


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2025, cxsecurity.com

 

Back to Top