CVE-2025-47204: 
JavaScript vulnerability analysis and mitigation

A vulnerability (CVE-2025-47204) was discovered in bootstrap-multiselect (Bootstrap Multiselect) version 1.1.2, disclosed on May 13, 2025. The vulnerability exists in post.php where a PHP script echoes arbitrary POST data without proper sanitization. This issue was assigned a CVSS v3.1 base score of 6.1 (Medium) (NVD, Wiz).

The vulnerability stems from a PHP script in post.php that directly echoes arbitrary POST data without proper sanitization. If developers implement this code structure in a live application, it could lead to a Reflective Cross-Site Scripting (XSS) vulnerability that can be exploited through Cross-Site Request Forgery (CSRF). The vulnerability has been assigned CWE-352 (Cross-Site Request Forgery) and received a CVSS v3.1 base score of 6.1, indicating medium severity with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD, Wiz).

Successful exploitation of this vulnerability could allow attackers to execute malicious scripts in the context of the victim's browser. This could potentially lead to data theft, session hijacking, or defacement of the affected application. The vulnerability requires user interaction but can be executed without authentication, making it a significant risk for applications that have implemented the vulnerable code structure (Wiz, Nuclei Template).

The recommended mitigation is to only use the necessary components (CSS/JS) in production applications and avoid implementing the vulnerable post.php script structure. Organizations should ensure proper input validation and sanitization are implemented when handling POST data. It is advised to update to a patched version if available or implement proper security controls when handling user input (Wiz).