CVE-2025-47204
Description
An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
post.php in bootstrap-multiselect 1.1.2 echoes arbitrary POST data, enabling reflective XSS if the pattern is copied into a live application, and the attack can be triggered via CSRF.
Vulnerability
Overview
CVE-2025-47204 affects bootstrap-multiselect version 1.1.2, specifically the file post.php. The issue is that this PHP script echoes back arbitrary POST data without sanitization or validation. If a developer adopts this script's structure wholesale in a production web application, it introduces a reflective Cross-Site Scripting (XSS) vulnerability [1][2][3].
Exploitation
Prerequisites
The attack surface is limited: the vulnerable post.php script is part of the library's source code examples, not the core widget logic. For exploitation to be possible, a developer must have copied the pattern from post.php into an actual deployed endpoint that echoes unsanitized POST parameters. In that scenario, an attacker could craft a request with malicious JavaScript in a POST parameter. Furthermore, because no CSRF token or origin check is present, the XSS can be triggered via Cross-Site Request Forgery (CSRF) [3], meaning an external site can force a victim's browser to submit the malicious POST request.
Impact
If successfully exploited, the attacker can execute arbitrary JavaScript in the victim's browser session within the context of the vulnerable application. This can lead to session hijacking, data theft, or defacement. The severity depends on the sensitivity of the application using the vulnerable pattern.
Mitigation
Status
The vendor has acknowledged the issue via GitHub [1][2]. The library has since released newer versions (e.g., v2.0.0), but the fix is not explicitly described as addressing this CVE. Users are advised to avoid copying the post.php pattern in production, or to sanitize all POST data before echoing. As of this writing, the CVE has not been added to the CISA Known Exploited Vulnerabilities catalog [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
bootstrap-multiselectnpm | < 2.0.0 | 2.0.0 |
Affected products
2- bootstrap-multiselect/bootstrap-multiselectdescription
- Range: =1.1.2
Patches
27da45ded9c82Merge pull request #1287 from marcoris/master
1 file changed · +0 −3
post.php+0 −3 removed@@ -1,3 +0,0 @@ -<?php - -print_r($_POST); \ No newline at end of file
11e1a6c11d39Adding cve-2025-47204
1 file changed · +32 −0
http/cves/2025/CVE-2025-47204.yaml+32 −0 added@@ -0,0 +1,32 @@ +id: CVE-2025-47204 + +info: + name: Bootstrap Multiselect Misconfiguration <= 1.1.2 - Cross-Site Scripting + author: r3naissance + severity: medium + description: | + A PHP script in the source code release echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF). + impact: | + Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application. + remediation: | + Only use the necessary components (css/js) in production applications + reference: + - https://nvd.nist.gov/vuln/detail/CVE-2025-47204 + tags: cve,cve2025,xss,misconfiguration,bootstrap-multiselect + +http: + - raw: + - | + POST /bootstrap-multiselect/post.php HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + canary=%22%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E + + matchers: + - type: dsl + dsl: + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "<script>alert(document.domain)</script>")' + condition: and
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-gv5r-9gxr-v74wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-47204ghsaADVISORY
- github.com/davidstutz/bootstrap-multiselect/commit/7da45ded9c82837a8eae9cb9dd3bd32a3dd1dc45ghsaWEB
- github.com/davidstutz/bootstrap-multiselect/issues/1286ghsaWEB
- github.com/davidstutz/bootstrap-multiselect/pull/1287ghsaWEB
- github.com/projectdiscovery/nuclei-templates/commit/11e1a6c11d3954f44acfb0274b6dad4bd8045103ghsaWEB
News mentions
0No linked articles in our index yet.