CVE-2025-59412 – CubeCart versions before 6.5.11 have a cross-si... (How to Fix)

Q: What is the severity of CVE-2025-59412?

CVE-2025-59412 has a CVSS score of 5.4 (MEDIUM). CubeCart versions before 6.5.11 have a cross-site scripting (XSS) vulnerability in the product reviews feature. Attackers can inject malicious HTML into review descriptions, which gets executed when administrators approve the reviews and visitors view product pages. This affects all CubeCart ecommerce sites running vulnerable versions.

📋 TL;DR

CubeCart versions before 6.5.11 have a cross-site scripting (XSS) vulnerability in the product reviews feature. Attackers can inject malicious HTML into review descriptions, which gets executed when administrators approve the reviews and visitors view product pages. This affects all CubeCart ecommerce sites running vulnerable versions.

💻 Affected Systems

Products:

CubeCart

Versions: All versions prior to 6.5.11

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations with product reviews enabled are vulnerable. The vulnerability requires administrator approval of malicious reviews.

📦 What is this software?

Cubecart by Cubecart

View all CVEs affecting Cubecart →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could redirect all site visitors to phishing/malware sites, steal session cookies, or perform actions on behalf of authenticated users.

🟠

Likely Case

Attackers inject malicious scripts to display unwanted content, deface product pages, or steal visitor session data.

🟢

If Mitigated

With proper input validation and output encoding, malicious scripts would be rendered as harmless text rather than executed code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires submitting a review with malicious HTML and waiting for administrator approval. No authentication bypass is needed for submission.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.5.11

Vendor Advisory: https://github.com/cubecart/v6/security/advisories/GHSA-qfrx-vvvp-h5m2

Restart Required: No

Instructions:

1. Backup your CubeCart installation and database. 2. Download version 6.5.11 from the official CubeCart repository. 3. Replace all files with the patched version. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable Product Reviews

all

Temporarily disable the product reviews feature to prevent exploitation while planning the upgrade.

Navigate to CubeCart admin panel > Store Settings > Features > Disable 'Enable Reviews'

Implement Input Validation

all

Add custom input sanitization to strip HTML tags from review submissions.

Modify review submission handling code to use htmlspecialchars() or strip_tags() on user input

🧯 If You Can't Patch

Implement a web application firewall (WAF) with XSS protection rules
Require manual review of all HTML content in reviews before approval

🔍 How to Verify

Check if Vulnerable:

Check if your CubeCart version is below 6.5.11 in the admin dashboard or by examining the includes/global.inc.php file.

Check Version:

Check the 'Version' field in the CubeCart admin dashboard or view the includes/global.inc.php file.

Verify Fix Applied:

After upgrading, test by submitting a review with HTML tags like <script>alert('test')</script> and verify it displays as plain text rather than executing.

📡 Detection & Monitoring

Log Indicators:

Unusual review submissions containing HTML/script tags
Multiple review submissions from same IP in short timeframe

Network Indicators:

Unexpected redirects from product pages
External script loading from review pages

SIEM Query:

source="cubecart_logs" AND (review_submission CONTAINS "<script>" OR review_submission CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-59412

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (16.7th percentile)

Published: September 22, 2025

Last Updated: September 23, 2025

🔗 References

https://github.com/cubecart/v6/commit/1a0c0d8f6c9c141575eb5be07d04e7d49820005b Patch
https://github.com/cubecart/v6/commit/7d4bf593304332fa1258d4f0b10dd7c9f6283a86 Patch
https://github.com/cubecart/v6/security/advisories/GHSA-qfrx-vvvp-h5m2 Exploit,Vendor Advisory
https://github.com/cubecart/v6/security/advisories/GHSA-qfrx-vvvp-h5m2 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59412, you might also want to check these: