CVE-2025-9103

CVE-2025-9103 describes a cross-site scripting (XSS) vulnerability in ZenCart 2.1.0, specifically affecting the CKEditor component. The vendor asserts this is intended behavior for authorized administrators, leading to a very low CVSS score of 2.4. The root cause is that the CKEditor does not sufficiently sanitize input, allowing the injection of arbitrary scripts.

An attacker with administrative access to ZenCart can exploit this by embedding malicious JavaScript into content fields processed by CKEditor. The attack is launched remotely, meaning a crafted request can deliver the payload. A proof-of-concept has been published, demonstrating a simple PHP script that logs cookies from victims who view the manipulated content [1]. No authentication bypass or additional privileges beyond an admin role are required, as the feature is designed for authorized users.

Successful exploitation allows an attacker to execute JavaScript in the context of other administrators or users who view the affected pages, potentially leading to session hijacking, cookie theft, or further content manipulation. However, since exploitation requires an admin account and the vendor considers the behavior acceptable for that trust level, the real-world impact is limited to scenarios where an admin account is compromised or misused.

Mitigation is limited; the vendor has declared the behavior intentional. Users should strictly control access to administrator accounts and monitor for suspicious edits. No official patch is provided, and the CVE notes that the existence of the vulnerability is doubted in some circles due to the vendor's stance. Workarounds include disabling the CKEditor for untrusted roles or applying additional input validation via third-party plugins.