CVE-2025-60880 in Bagisto
Summary
by MITRE • 10/10/2025
An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in the browser, potentially leading to session hijacking, data theft, or unauthorized actions.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 01/09/2026
The vulnerability identified as CVE-2025-60880 represents a critical security flaw within the Bagisto e-commerce platform's administrative interface, specifically affecting version 2.3.6. This issue manifests as an authenticated stored cross-site scripting vulnerability that occurs during the product creation process, where the system fails to properly sanitize user-uploaded content. The flaw allows an attacker who has gained administrative access to upload malicious SVG files that contain embedded JavaScript code, creating a persistent threat that remains active until the file is removed from the system.
The technical exploitation of this vulnerability relies on the platform's insufficient input validation and output encoding mechanisms within the product image upload functionality. When an administrator uploads a specially crafted SVG file, the system stores the file without adequate sanitization of the embedded JavaScript code. This stored content is then rendered in the admin panel, executing the malicious script within the context of the authenticated user's browser session. The vulnerability falls under CWE-79 which specifically addresses cross-site scripting flaws, and aligns with ATT&CK technique T1566.001 for initial access through malicious file uploads.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with elevated privileges within the administrative environment. Successful exploitation could enable threat actors to manipulate product listings, modify pricing, access sensitive customer data, or even escalate their privileges further within the system. The stored nature of the vulnerability means that the malicious code persists across multiple user sessions, making it particularly dangerous as it can affect any administrator who views the affected product pages. This creates a vector for session hijacking attacks where attackers can steal administrative credentials and maintain long-term access to the e-commerce platform.
Mitigation strategies for this vulnerability should include immediate implementation of strict file validation mechanisms that reject or sanitize all SVG files containing executable JavaScript code. Organizations should enforce Content Security Policy headers that prevent inline script execution and implement proper input sanitization for all user-uploaded content. The recommended approach involves implementing a robust file type verification system that examines the actual content of uploaded files rather than relying solely on file extensions, combined with comprehensive output encoding for all dynamic content rendered in the admin interface. Additionally, implementing principle of least privilege access controls and regular security audits of uploaded content can help detect and prevent exploitation attempts. Organizations should also consider implementing web application firewalls with rules specifically designed to detect and block malicious SVG file uploads, and ensure that all administrative users have strong authentication mechanisms including multi-factor authentication to reduce the risk of unauthorized access to the vulnerable administrative interface.