Unrated severityNVD Advisory· Published Jun 2, 2025· Updated Jun 2, 2025

Stored XSS in CE Phoenix Cart Testimonials Allows Account Takeover if Missing HttpOnly Flag

CVE-2025-47289

Description

CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner (admin) approves the testimonial, the script executes in the context of any user visiting the testimonial page. Because the session cookies are not marked with the HttpOnly flag, they can be exfiltrated by the attacker — potentially leading to account takeover. Version 1.1.0.3 fixes the issue.

Affected products

CE Phoenix/CE Phoenixllm-fuzzy
Range: >=1.0.9.9, <=1.1.0.2
CE-PhoenixCart/PhoenixCartv5
Range: >= 1.0.9.7, < 1.1.0.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

drive.google.com/file/d/1uQAEjewSL9jWWu1UHe47tAnM7U4_x39g/viewmitrex_refsource_MISC
github.com/CE-PhoenixCart/PhoenixCart/security/advisories/GHSA-98qq-m8qj-vvgjmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000