CVE-2025-47442 in BMI Calculator Plugin
Summary
by MITRE • 05/07/2025
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in CC CC BMI Calculator allows Stored XSS. This issue affects CC BMI Calculator: from n/a through 2.1.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 05/07/2025
The CVE-2025-47442 vulnerability represents a critical cross-site scripting flaw within the CC BMI Calculator web application, specifically categorized as a stored XSS vulnerability under the CWE-79 framework. This vulnerability arises from inadequate input sanitization during the web page generation process, where user-supplied data is not properly neutralized before being rendered back to other users. The flaw exists in versions of the CC BMI Calculator ranging from the initial release through version 2.1.0, indicating a persistent issue that has affected the application for an extended period.
The technical implementation of this vulnerability occurs when malicious input is accepted and stored within the application's database or storage mechanisms, subsequently retrieved and displayed without proper sanitization. When other users access pages containing this stored malicious content, their browsers execute the embedded scripts within the context of their session, potentially compromising their security. This stored nature distinguishes the vulnerability from reflected XSS attacks, as the malicious payload persists and affects multiple users over time rather than requiring specific user interaction with a crafted URL.
From an operational impact perspective, this vulnerability creates significant risks for both end users and the organization operating the application. Attackers can inject malicious scripts that may steal session cookies, redirect users to phishing sites, deface the application interface, or perform actions on behalf of authenticated users. The vulnerability directly violates security principles outlined in the OWASP Top Ten, specifically addressing the risk of injection flaws and cross-site scripting attacks. Depending on the application's user base and the privileges of affected users, this vulnerability could enable privilege escalation or data exfiltration attacks.
The mitigation strategies for CVE-2025-47442 should focus on implementing robust input validation and output encoding mechanisms throughout the application's data flow. Organizations should implement proper sanitization of all user inputs before storage and ensure that all output is properly encoded according to the context in which it is rendered, particularly when dealing with HTML, JavaScript, and URL contexts. The application should employ Content Security Policy headers to limit script execution, implement proper input length restrictions, and utilize parameterized queries or prepared statements where database interactions occur. Additionally, regular security testing including automated scanning and manual penetration testing should be conducted to identify similar vulnerabilities. The ATT&CK framework categorizes this vulnerability under T1566 - Phishing and T1059 - Command and Scripting Interpreter, highlighting the potential for attackers to leverage this weakness for broader compromise activities. Patch management procedures should be established to ensure timely remediation of this vulnerability across all affected versions of the CC BMI Calculator application.