CVE-2025-60880 — HIGH (8.3)

Vulnerability Description

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.

CVSS Score

8.3

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

HIGH

Affected Products

Vendor	Product	Versions
Webkul	Bagisto	2.3.6

Related Weaknesses (CWE)

CWE-79

References

https://gist.github.com/daman-preet-singh/cd431f4c30a585bb87d3c69e4a8eec98ExploitThird Party Advisory
https://github.com/Shenal01/CVE-2025-60880ExploitThird Party Advisory

FAQ

What is CVE-2025-60880?

CVE-2025-60880 is a vulnerability with a CVSS score of 8.3 (HIGH). An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This ...

How severe is CVE-2025-60880?

CVE-2025-60880 has been rated HIGH with a CVSS base score of 8.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-60880?

Check the references section above for vendor advisories and patch information. Affected products include: Webkul Bagisto.