| Title | Bdtask Wholesale Management System Latest version as of 2025-10-16 Stored HTML Injection |
|---|
| Description | A Stored HTML Injection vulnerability exists in the user profile functionality of the Wholesale Management System. The application's input filter for the 'first_name' and 'last_name' parameters is incomplete and fails to properly sanitize HTML tags like <a>. An authenticated attacker can inject a malicious HTML payload, such as a deceptive hyperlink, into these fields. The payload is then stored and rendered on pages displaying the user's name, which can be used to conduct phishing attacks against any user who views the compromised profile. |
|---|
| Source | ⚠️ https://github.com/4m3rr0r/PoCVulDb/issues/4 |
|---|
| User | 4m3rr0r (UID 85795) |
|---|
| Submission | 10/29/2025 14:32 (8 months ago) |
|---|
| Moderation | 11/14/2025 12:04 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 332470 [Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System /edit_profile cross site scripting] |
|---|
| Points | 20 |
|---|