Cybersecurity Vulnerabilities

CVE-2025-13180: Low-Severity XSS Threat in Wholesale Inventory System

November 14, 2025 - By 

Overview

CVE-2025-13180 describes a basic Cross-Site Scripting (XSS) vulnerability found in the Bdtask/CodeCanyon Wholesale Inventory Control and Inventory Management System, affecting versions up to 20250320. This vulnerability allows a remote attacker to inject malicious scripts into the system via the /edit_profile endpoint, specifically through the first_name and last_name parameters. The vendor was notified but did not respond. A proof-of-concept exploit is publicly available.

Technical Details

The vulnerability resides within the /edit_profile functionality. By manipulating the first_name and last_name parameters with malicious JavaScript code, an attacker can inject scripts that will be executed in the context of other users’ browsers when they view the profile. The application fails to properly sanitize or encode the input, allowing the XSS payload to be stored and reflected back to users.

Example Payload:

<script>alert('XSS Vulnerability!');</script>

An attacker could use this vulnerability to steal cookies, redirect users to malicious websites, or deface the affected web page.

CVSS Analysis

  • CVSS Score: 3.5 (Low)
  • Vector: AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
  • Explanation: This is a low-severity vulnerability because it requires user interaction (e.g., clicking on a crafted link) and has limited impact (modification only, no confidentiality or availability impact). The attacker also needs to have an account with low level privileges.

Possible Impact

Although classified as low severity, the impact of CVE-2025-13180 should not be disregarded. Successful exploitation can lead to:

  • Account Hijacking: Stealing user cookies to gain unauthorized access to accounts.
  • Phishing: Redirecting users to phishing websites designed to steal credentials.
  • Defacement: Altering the appearance of the affected profile pages.
  • Information Theft: Exfiltrating sensitive information displayed on the profile page.

Mitigation or Patch Steps

Since the vendor has not provided a patch, the following mitigation steps are recommended:

  • Input Validation: Implement strict input validation and sanitization on the first_name and last_name parameters within the /edit_profile functionality.
  • Output Encoding: Encode user-supplied data before displaying it on the page to prevent the execution of malicious scripts. Use appropriate encoding functions for the context (e.g., HTML encoding).
  • Web Application Firewall (WAF): Deploy a WAF to detect and block XSS attacks. Configure the WAF with rules to identify and prevent the injection of malicious scripts.
  • Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities in the application.
  • Consider Alternative Solutions: If the vendor remains unresponsive, evaluate alternative inventory management solutions that prioritize security.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *