CVE-2025-60880: 
PHP vulnerability analysis and mitigation

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. The vulnerability was discovered in August 2025 and was assigned CVE-2025-60880 in October 2025. The vulnerability affects the Bagisto e-commerce platform version 2.3.6, specifically within the admin panel's product creation functionality (GitHub POC).

The vulnerability is classified as a stored Cross-Site Scripting (XSS) vulnerability with a CVSS v3.1 base score of 8.3 (High). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H, indicating network attack vector, low attack complexity, high privileges required, and user interaction required. The vulnerability exists in the product creation path where SVG file uploads are not properly sanitized, allowing for the injection of malicious JavaScript code (AttackerKB, NVD).

The successful exploitation of this vulnerability can lead to session hijacking, data theft, and unauthorized actions within the admin panel. Due to the high privileges required (admin access), the impact is somewhat limited but still significant within the administrative context (GitHub POC).

To mitigate this vulnerability, it is recommended to enforce strict input validation, content-type enforcement, and proper file handling. Organizations should restrict file uploads to trusted formats and implement proper sanitization of SVG files to remove potentially harmful content. Additionally, administrators should monitor and validate all file uploads in the admin panel (GitHub POC).