CVE-2025-40725

Vulnerability

Overview

CVE-2025-40725 is a reflected Cross-Site Scripting (XSS) vulnerability in Azon Dominator, a PHP script used to create affiliate websites. The flaw exists in the /search endpoint, where the q parameter is taken via GET and reflected back to the user without proper sanitization or encoding. This allows an attacker to craft a malicious URL that, when visited by a victim, will execute arbitrary JavaScript in the context of the vulnerable site [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted link containing a malicious payload in the q parameter to a victim. No authentication is required to trigger the vulnerability, but user interaction is necessary — the victim must click the link. The attack vector is network-based, with low complexity and no privileges required, as reflected in the CVSS v4.0 base score of 5.1 (AV:N/AC:L/AT:N/PR:N/UI:A) [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the victim's browser. This can be used to steal sensitive data such as session cookies, perform actions on behalf of the authenticated user, or deface the web page. The scope is changed scope (SC:L/SI:L/SA:N) indicates low impact to confidentiality, integrity, and availability within the scope of the vulnerable application [1].

Mitigation

The Azon Dominator team has released a fix in the latest available version. Users are strongly advised to update their installations to the patched version to eliminate the risk. No workarounds are mentioned in the advisory [1].