6.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62415

GHSA ID

GHSA-67px-r26w-598x

EPSS Score

CWE

CWE-79

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-62415

CVE-2025-62415: bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)

Summary

In Bagisto v2.3.7, the TinyMCE image upload functionality allows an attacker with sufficient privileges (e.g. admin) to upload a crafted HTML file containing embedded JavaScript. When viewed, the malicious code executes in the context of the admin/user’s browser.

Details

The application blocks the uploading of HTML files; however, if the backend detected that the content of the .png file is HTML or JavaScript, the file extension will be automatically converted from .png to .html. When the HTML is viewed, it will execute the JavaScript code.

PoC

Created a html file, renamed the extension to .png, and uploaded the file. It was converted to HTML file in the backend. When opened in another tab, the JavaScript code will execute. <img width="1605" height="702" alt="image" src="https://github.com/user-attachments/assets/bd9406aa-2380-464f-ac21-32d483639969" /> <img width="1358" height="314" alt="image" src="https://github.com/user-attachments/assets/e5a64a5a-39fb-4fdb-ada9-14c4b9554803" />

Impact

A aalicious script is stored in HTML file and executed when the content is viewed. An attacker (with upload privilege) can target other admin users or editors who view the content, enabling session hijacking, unauthorized actions, or privilege escalation.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-62415

CVE-2025-62415:

6.9

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-62415

GHSA ID

GHSA-67px-r26w-598x

EPSS Score

CWE

CWE-79

Published

10/16/2025

Updated

10/16/2025

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
bagisto/bagisto	composer	<= 2.3.7	2.3.8

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in the file upload functionality of the TinyMCE editor in Bagisto. The root cause is insufficient validation on the backend when a file is uploaded. The analysis of the patch commit 7b6b1dd639a14e7053bb82ef2f971c1f533fdfab reveals that the storeMedia function in TinyMCEController.php was responsible for saving the uploaded file without proper checks.

The vulnerable version of storeMedia would accept a file, such as one named malicious.png, even if its content was actually HTML/JavaScript. The system would later process this file, and as described in the vulnerability report, rename it to .html, allowing the embedded script to be executed in the context of the user's browser when accessed.

The patch introduces two key validation steps:

MIME Type Check: It verifies that the uploaded file's MIME type is one of the allowed image types (e.g., image/png, image/jpeg).
Extension and MIME Type Correlation: It ensures that the file's extension corresponds to its validated MIME type.

The upload function is the controller action that receives the HTTP request and calls storeMedia. Therefore, both functions would be present in the execution stack during a successful exploitation attempt. The primary flaw is within storeMedia, but upload is the entry point for the vulnerable operation.

Vulnerable functions

Webkul\Admin\Http\Controllers\TinyMCEController::upload

packages/Webkul/Admin/src/Http/Controllers/TinyMCEController.php

This function is the public entry point for handling file uploads from the TinyMCE editor. It calls the `storeMedia` method to process and save the file. While the primary vulnerability lies within `storeMedia`, this function is a crucial part of the execution flow that would appear in a stack trace during exploitation, as it orchestrates the file upload process.

Webkul\Admin\Http\Controllers\TinyMCEController::storeMedia

packages/Webkul/Admin/src/Http/Controllers/TinyMCEController.php

This function contains the core of the vulnerability. In the unpatched version, it directly saves an uploaded file without validating its content against its MIME type or file extension. This allows an attacker to upload a file with an image extension (e.g., '.png') that contains malicious HTML and JavaScript. The application would then misinterpret this file as HTML, leading to Cross-Site Scripting (XSS) when the file is viewed. The patch rectifies this by adding strict validation to ensure the file's MIME type and extension match and are on an allowed list of image types.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.9

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-62415: bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)

Summary

Details

PoC

Impact

CVE-2025-62415:

6.9

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

6.9

6.9

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-62415: bagisto has Cross Site Scripting (XSS) issue in TinyMCE Image Upload (HTML)

Summary

Details

PoC

Impact

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI