CVE-2025-14205

Vulnerability

Overview

A cross-site scripting (XSS) vulnerability has been identified in the code-projects Chamber of Commerce Membership Management System version 1.0. The issue resides in an unknown function within the /membership_profile.php file, part of the 'Your Info' handler. By manipulating the Full Name, Address, City, or State arguments, an attacker can inject arbitrary web script or HTML. This is a reflected or stored XSS scenario, as the injected payload is processed by the membership profile page [1].

Exploitation

Conditions

The attack vector is remote and does not require authentication, although the specific prerequisites are not detailed in the advisory. An attacker could craft a malicious request to the profile endpoint with XSS payloads in one of the mentioned form fields. Because the vulnerability has been publicly disclosed with proof-of-concept code, exploitation may be straightforward for anyone with network access to the application [1].

Impact

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of a victim's browser session. This could lead to session hijacking, defacement, or theft of sensitive information displayed on the profile page. Given the low CVSS score of 2.4, the impact is considered limited, likely because the application's data sensitivity and user interaction requirements reduce the severity [1].

Mitigation

Status

The vendor, code-projects, has not released a patch as of the publication date. Users are advised to apply input validation and output encoding on the affected fields, or consider migrating to a maintained alternative. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].