VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 13, 2015· Updated May 6, 2026

CVE-2014-10035

CVE-2014-10035

Description

Multiple cross-site scripting (XSS) vulnerabilities in the admin area in couponPHP before 1.2.0 allow remote administrators to inject arbitrary web script or HTML via the (1) sEcho parameter to comments_paginate.php or (2) stores_paginate.php or the (3) affiliate_url, (4) description, (5) domain, (6) seo[description], (7) seo[heading], (8) seo[title], (9) seo[keywords], (10) setting[logo], (11) setting[perpage], or (12) setting[sitename] to admin/index.php.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple stored cross-site scripting vulnerabilities in couponPHP before 1.2.0 allow admin-level attackers to inject arbitrary HTML/JavaScript via various parameters in the admin panel.

## Vulnerability couponPHP versions before 1.2.0 contain multiple stored cross-site scripting (XSS) vulnerabilities in the admin area. The sEcho parameter in comments_paginate.php and stores_paginate.php, as well as parameters affiliate_url, description, domain, seo[description], seo[heading], seo[title], seo[keywords], setting[logo], setting[perpage], and setting[sitename] in admin/index.php, are not properly sanitized before being stored and later rendered. This allows injection of arbitrary HTML and script code [1][2].

Exploitation

An attacker with administrative access to the couponPHP admin panel can craft malicious input in any of the listed parameters. The injected payload is stored on the server and executed in the browser of any administrator who views the affected page. No additional user interaction is required beyond the victim accessing the admin interface [1][2].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the admin session. This can lead to session hijacking, defacement, or further compromise of the couponPHP installation. The attack is limited to the admin area but can affect all administrators [1][2].

Mitigation

The vendor released version 1.2.0 to address these vulnerabilities. Users should upgrade to couponPHP 1.2.0 or later. No workarounds are documented in the available references [1][2].

References
  1. Zero Science Lab — Macedonian Information Security Research & Development Laboratory
  2. OffSec’s Exploit Database Archive

AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Couponphp/Couponphp2 versions
    cpe:2.3:a:couponphp:couponphp:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:couponphp:couponphp:*:*:*:*:*:*:*:*range: <=1.1.0
    • (no CPE)range: <1.2.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

8

News mentions

0

No linked articles in our index yet.