6.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62414

GHSA ID

GHSA-r9xj-mvqf-jm7w

EPSS Score

CWE

CWE-79

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62414

CVE-2025-62414: bagisto has Cross Site Scripting (XSS) in Create New Customer

Summary

In Bagisto v2.3.7, the “Create New Customer” feature (in the admin panel) is vulnerable to reflected / stored Cross-Site Scripting (XSS). An attacker with access to the admin create-customer form can inject malicious JavaScript payloads into certain input fields. These payloads may later execute in the context of an admin’s browser or another user viewing the customer data, enabling session theft or admin-level actions.

Details

The vulnerability arises because certain input fields are not properly sanitized or escaped when rendering customer data in the admin UI. The form data is stored in the database (i.e. it is stored XSS), and later when customer records are displayed (e.g. in a grid, detail view, or listing), the input is interpolated into HTML without encoding or filtering.

PoC

Navigate to sales orders, and create a new customer. <img width="643" height="567" alt="image" src="https://github.com/user-attachments/assets/e3a7c5a2-f53b-4db6-ac23-3451bca58956" /> Enter the payload "><svg/onload=prompt(document.domain)> to the first_name and last_name. <img width="1527" height="767" alt="image" src="https://github.com/user-attachments/assets/86ac325e-7700-477d-a13d-be2d4885f510" /> Scripts were triggered. <img width="1267" height="321" alt="image" src="https://github.com/user-attachments/assets/ce673b44-13cc-4e88-a89e-03bf0bd7e244" /> <img width="1336" height="404" alt="image" src="https://github.com/user-attachments/assets/d45913ea-b177-4926-8612-92518e12f11e" />

Impact

Stored XSS vulnerability — malicious script persisted in database and executed when viewing the data. An attacker (with limited privilege) could inject JavaScript that runs in the browser of an admin or user who views injected customer records. The script can steal session cookies, perform actions on behalf of admin, escalate privileges, or pivot into further attacks. In an e-commerce admin system, this is high severity due to potential access to customer data, order management, or site configuration.

(GitHub Advisory)

6.9

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-62414

GHSA ID

GHSA-r9xj-mvqf-jm7w

EPSS Score

CWE

CWE-79

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bagisto/bagisto	composer	<= 2.3.7	2.3.8

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a stored Cross-Site Scripting (XSS) in the 'Create New Customer' feature of Bagisto. The analysis of the commits between the vulnerable version (2.3.7) and the patched version (2.3.8) reveals a significant security enhancement in commit 8076c708498a0187bc952d5f5f705e0cb1919682. This commit introduces a new dependency, stevebauman/purify, which is a well-known HTML sanitizer for Laravel. It also adds a new helper function, clean_content, that utilizes this library to sanitize content. Although the commit message and the immediate application of this fix shown in the patch are for 'product attributes', the introduction of this generic sanitization function is the key to fixing XSS vulnerabilities throughout the application, including the one in the customer creation form. The vulnerability exists because the controller methods that handle customer creation and updates (likely store and update in a CustomerController) were accepting user input (e.g., first_name, last_name) and saving it to the database without proper sanitization. When this stored data, containing malicious scripts, was later rendered on a page (e.g., customer list or edit page), the scripts would execute in the user's browser. The patch addresses this by providing the clean_content function, which is then used within a Form Request's passedValidation method to sanitize the input before it reaches the controller. While the specific patch for the customer-related forms and controllers is not directly visible in the provided information, the introduction of the sanitization mechanism itself is the crucial piece of evidence. The vulnerable functions are those that process and display user-generated content without proper sanitization, and the fix is the application of the new clean_content function at the input validation stage.

Vulnerable functions

Webkul\DataGrid\Exports\DataGridExport::map

packages/Webkul/DataGrid/src/Exports/DataGridExport.php

The `map` function in `DataGridExport` is responsible for preparing data for export. In the vulnerable version, it directly maps data from the record to the export, without any sanitization. This could lead to vulnerabilities like CSV injection if the exported data is opened in a spreadsheet program. The patch adds a call to a new `sanitize` method to clean the data before it's added to the export.

Webkul\Admin\Http\Requests\ProductForm::passedValidation

packages/Webkul/Admin/src/Http/Requests/ProductForm.php

The `passedValidation` function is a new function added in the patch to sanitize user input after validation has passed. It specifically targets fields that use the TinyMCE editor. It iterates through these fields and applies the `clean_content` function to sanitize their content. The absence of this function in the vulnerable version means that any input from TinyMCE fields was not being sanitized, leading to a stored XSS vulnerability.

clean_content

packages/Webkul/Core/src/Http/helpers.php

The `clean_content` function is a new helper function introduced in the patch to sanitize HTML content. It uses the `Purify` facade (from the `stevebauman/purify` library) to clean the content, and then it removes or escapes various template syntaxes. This function is the core of the fix for the XSS vulnerability. Any function that processes user-provided content and did not use this function (or a similar sanitization mechanism) in the vulnerable version is a source of the vulnerability.

WAF Protection Rules

WAF Rule

### Summ*ry In ***isto v*.*.*, t** “*r**t* N*w *ustom*r” ***tur* (in t** **min p*n*l) is vuln*r**l* to r**l**t** / stor** *ross-Sit* S*riptin* (XSS). *n *tt**k*r wit* ****ss to t** **min *r**t*-*ustom*r *orm **n inj**t m*li*ious J*v*S*ript p*ylo**s i

Reasoning

T** vuln*r**ility is * stor** *ross-Sit* S*riptin* (XSS) in t** '*r**t* N*w *ustom*r' ***tur* o* ***isto. T** *n*lysis o* t** *ommits **tw**n t** vuln*r**l* v*rsion (*.*.*) *n* t** p*t**** v*rsion (*.*.*) r*v**ls * si*ni*i**nt s**urity *n**n**m*nt in

6.9

Basic Information

Concerned about an active attack path?

CVE-2025-62414: bagisto has Cross Site Scripting (XSS) in Create New Customer

Summary

Details

PoC

Impact

6.9

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI