CVE-2025-57407: 
PHP vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability has been identified in the Admin Log Viewer component of S-Cart versions 10.0.3 and earlier (CVE-2025-57407). The vulnerability was discovered and disclosed on September 23, 2025. The vulnerability allows remote authenticated attackers to inject arbitrary web script or HTML through a crafted User-Agent header (NVD).

The vulnerability exists in the Admin Log Viewer component where user input from the User-Agent header is not properly sanitized before being stored and displayed. When an administrator views the security log page, any malicious script injected through this vector is executed in their browser. This creates a stored XSS condition that persists in the application's logs (NVD).

If successfully exploited, the vulnerability could lead to session hijacking or other malicious actions when executed in an administrator's browser. Since the XSS payload is stored in the system logs, it can affect any administrator who views the security log page, potentially compromising administrative access to the system (NVD).

A fix for this vulnerability has been released. Users should upgrade their S-Cart installations to a version newer than 10.0.3. The fix was implemented in a security release as documented in the project's repository (GitHub Release).