CVE-2025-60312 – CVE-2025-60312 is a stored cross-site scripting... (How to Fix)

Q: What is the severity of CVE-2025-60312?

CVE-2025-60312 has a CVSS score of 6.1 (MEDIUM). CVE-2025-60312 is a stored cross-site scripting vulnerability in Sourcecodester Markdown to HTML Converter v1.0 that allows attackers to inject malicious JavaScript into the markdown input field. When victims click the 'Convert to HTML' button, the injected code executes in their browser, potentially stealing session cookies or performing unauthorized actions. This affects all users of the vulnerable software version.

📋 TL;DR

CVE-2025-60312 is a stored cross-site scripting vulnerability in Sourcecodester Markdown to HTML Converter v1.0 that allows attackers to inject malicious JavaScript into the markdown input field. When victims click the 'Convert to HTML' button, the injected code executes in their browser, potentially stealing session cookies or performing unauthorized actions. This affects all users of the vulnerable software version.

💻 Affected Systems

Products:

Sourcecodester Markdown to HTML Converter

Versions: v1.0

Operating Systems: Any OS running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation with no special configuration required.

📦 What is this software?

Markdown To Html Converter by Rems

View all CVEs affecting Markdown To Html Converter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator session cookies, take over administrative accounts, deface websites, or redirect users to malicious sites.

🟠

Likely Case

Attackers inject malicious scripts to steal user session cookies or credentials, potentially compromising user accounts.

🟢

If Mitigated

With proper input validation and output encoding, the malicious scripts would be rendered harmless as plain text.

🌐 Internet-Facing: HIGH - The vulnerability is in a web application component that processes user input and could be exploited remotely without authentication.

🏢 Internal Only: MEDIUM - While less exposed than internet-facing systems, internal users could still be targeted through phishing or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to have access to the markdown input field and victims to click the conversion button.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

1. Check for updated version from Sourcecodester. 2. If no patch available, implement input validation and output encoding. 3. Sanitize all user input before processing.

🔧 Temporary Workarounds

Implement Input Validation

PHP

Add server-side validation to sanitize markdown input before processing

// PHP example: htmlspecialchars($input, ENT_QUOTES, 'UTF-8')

Content Security Policy

all

Implement CSP headers to restrict script execution

Header set Content-Security-Policy "default-src 'self'; script-src 'self'" in .htaccess or server config

🧯 If You Can't Patch

Disable the markdown conversion feature entirely
Implement web application firewall rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Test by entering <script>alert('XSS')</script> in the markdown input field and checking if it executes when converted

Check Version:

Check the software version in the application interface or configuration files

Verify Fix Applied:

After implementing fixes, test with the same payload to ensure it's properly sanitized and doesn't execute

📡 Detection & Monitoring

Log Indicators:

Unusual markdown input containing script tags or JavaScript code
Multiple failed conversion attempts with suspicious payloads

Network Indicators:

HTTP requests containing script tags in POST data to conversion endpoint

SIEM Query:

source="web_server" AND ("<script>" OR "javascript:" OR "onclick=" OR "onload=") AND uri_path="/conversion_endpoint"

📊 Metadata

CVE ID: CVE-2025-60312

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.09% exploit probability (25.3th percentile)

Published: October 7, 2025

Last Updated: October 10, 2025

🔗 References

https://github.com/ChuckBartowski7/Vulnerability-Research/blob/main/CVE-2025-60312/README.md Exploit,Third Party Advisory
https://www.sourcecodester.com/php/18295/markdown-html-converter-using-php-and-javascript-source-code.html Product
https://github.com/ChuckBartowski7/Vulnerability-Research/blob/main/CVE-2025-60312/README.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60312, you might also want to check these: