CVE-2025-60313 – CVE-2025-60313 is a Cross-Site Scripting (XSS) ... (How to Fix)

📋 TL;DR

CVE-2025-60313 is a Cross-Site Scripting (XSS) vulnerability in Sourcecodester Link Status Checker 1.0 that allows remote attackers to inject malicious scripts via the URL input field. This affects all users running the vulnerable version of this PHP web application. Attackers can execute arbitrary JavaScript in victims' browsers when they view the manipulated link status results.

💻 Affected Systems

Products:

Sourcecodester Link Status Checker

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all installations of version 1.0. The vulnerability is in the web interface's URL input field.

📦 What is this software?

Link Status Checker by Rems

View all CVEs affecting Link Status Checker →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deliver malware payloads through the vulnerable application.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the application interface through injected content.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only affecting the specific user viewing manipulated results.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities typically have low exploitation complexity. No public proof-of-concept was found in the provided references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

1. Check Sourcecodester website for updated version
2. Replace vulnerable files with patched versions
3. Implement proper input validation and output encoding

🔧 Temporary Workarounds

Input Validation Filter

PHP

Add server-side validation to sanitize URL inputs before processing

Implement PHP filter_var() with FILTER_VALIDATE_URL or custom regex validation

Output Encoding

PHP

Encode all user-controlled output before rendering in HTML

Use htmlspecialchars() or htmlentities() when displaying URL results

🧯 If You Can't Patch

Implement a Web Application Firewall (WAF) with XSS protection rules
Disable or restrict access to the vulnerable application until patching is possible

🔍 How to Verify

Check if Vulnerable:

Test by entering a basic XSS payload like <script>alert('XSS')</script> in the URL input field and check if it executes

Check Version:

Check the application's version file or documentation, typically in readme.txt or version.php

Verify Fix Applied:

Test with same XSS payloads and verify they are properly sanitized or encoded in output

📡 Detection & Monitoring

Log Indicators:

Unusual long URL parameters containing script tags or JavaScript code
Multiple failed input validation attempts

Network Indicators:

HTTP requests with suspicious script tags in URL parameters
Unexpected JavaScript in application responses

SIEM Query:

web.url:*script* OR web.url:*javascript* AND dest.app:"Link Status Checker"

📊 Metadata

CVE ID: CVE-2025-60313

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.13% exploit probability (32.4th percentile)

Published: October 8, 2025

Last Updated: October 9, 2025

🔗 References

https://github.com/ChuckBartowski7/Vulnerability-Research/blob/main/CVE-2025-60313/README.md Exploit,Third Party Advisory
https://www.sourcecodester.com/php/18275/link-status-checker-using-php-and-javascript-source-code.html Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60313, you might also want to check these: