CVE-2025-13412 – Campcodes Retro Basketball Shoes Online Store 1... (How to Fix)

Q: What is the severity of CVE-2025-13412?

CVE-2025-13412 has a CVSS score of 2.4 (LOW). Campcodes Retro Basketball Shoes Online Store 1.0 contains a cross-site scripting (XSS) vulnerability in the /admin/admin_running.php file through the product_name parameter. This allows attackers to inject malicious scripts that execute in users' browsers when viewing affected admin pages. The vulnerability affects administrators and potentially other users who access the vulnerable admin interface.

📋 TL;DR

Campcodes Retro Basketball Shoes Online Store 1.0 contains a cross-site scripting (XSS) vulnerability in the /admin/admin_running.php file through the product_name parameter. This allows attackers to inject malicious scripts that execute in users' browsers when viewing affected admin pages. The vulnerability affects administrators and potentially other users who access the vulnerable admin interface.

💻 Affected Systems

Products:

Campcodes Retro Basketball Shoes Online Store

Versions: 1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with the vulnerable file accessible, typically through the admin interface.

📦 What is this software?

Retro Basketball Shoes Online Store by Campcodes

View all CVEs affecting Retro Basketball Shoes Online Store →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal admin session cookies, perform administrative actions on behalf of legitimate users, deface the admin interface, or redirect users to malicious sites.

🟠

Likely Case

Attackers inject malicious JavaScript to steal admin credentials or session tokens, potentially gaining unauthorized access to the admin panel.

🟢

If Mitigated

With proper input validation and output encoding, the XSS payloads would be neutralized, preventing script execution.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly disclosed on GitHub, making it easy for attackers to craft XSS payloads targeting the product_name parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.campcodes.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and output encoding in /admin/admin_running.php or upgrading to a patched version if released.

🔧 Temporary Workarounds

Implement Input Validation

all

Add server-side validation to sanitize the product_name parameter, rejecting or encoding special characters.

Edit /admin/admin_running.php to include input sanitization functions like htmlspecialchars() or filter_var() around product_name processing.

Restrict Admin Access

all

Limit access to the admin interface to trusted IP addresses or require additional authentication.

Configure web server (e.g., Apache .htaccess or Nginx config) to restrict /admin/ directory access to specific IPs.

🧯 If You Can't Patch

Disable or remove the /admin/admin_running.php file if not essential.
Implement a web application firewall (WAF) with XSS protection rules to block malicious requests.

🔍 How to Verify

Check if Vulnerable:

Test by submitting a payload like <script>alert('XSS')</script> in the product_name parameter to /admin/admin_running.php and check if it executes in the browser.

Check Version:

Check the software version in the admin panel or review source code/configuration files for version indicators.

Verify Fix Applied:

After applying fixes, retest with the same XSS payload to ensure it's properly encoded or blocked.

📡 Detection & Monitoring

Log Indicators:

HTTP requests to /admin/admin_running.php with suspicious strings like <script>, javascript:, or encoded payloads in parameters.

Network Indicators:

Unusual traffic patterns to admin endpoints, especially with long or encoded parameter values.

SIEM Query:

source="web_logs" AND uri_path="/admin/admin_running.php" AND (param="product_name" AND value MATCHES "(?i)<script|javascript:")

📊 Metadata

CVE ID: CVE-2025-13412

CVSS v3 Score: 2.4 (LOW)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

CWE: CWE-79

EPSS Score: 0.04% exploit probability (13.2th percentile)

Published: November 19, 2025

Last Updated: February 24, 2026

🔗 References

https://github.com/laosijivul/cve/issues/1 Exploit,Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.332939 Permissions Required,VDB Entry
https://vuldb.com/?id.332939 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.693698 Third Party Advisory,VDB Entry
https://www.campcodes.com/ Product
https://github.com/laosijivul/cve/issues/1 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13412, you might also want to check these: