CVE-2025-60880 – An authenticated stored XSS vulnerability in Ba... (How to Fix)

Q: What is the severity of CVE-2025-60880?

CVE-2025-60880 has a CVSS score of 8.3 (HIGH). An authenticated stored XSS vulnerability in Bagisto 2.3.6 allows admin users to upload malicious SVG files containing JavaScript code. When viewed, this code executes in victims' browsers, potentially compromising admin sessions and enabling unauthorized actions. Only authenticated admin users can exploit this vulnerability.

📋 TL;DR

An authenticated stored XSS vulnerability in Bagisto 2.3.6 allows admin users to upload malicious SVG files containing JavaScript code. When viewed, this code executes in victims' browsers, potentially compromising admin sessions and enabling unauthorized actions. Only authenticated admin users can exploit this vulnerability.

💻 Affected Systems

Products:

Bagisto

Versions: 2.3.6

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin panel access; affects product creation functionality specifically.

📦 What is this software?

Bagisto by Webkul

View all CVEs affecting Bagisto →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete admin account takeover leading to full system compromise, data exfiltration, or ransomware deployment across the e-commerce platform.

🟠

Likely Case

Session hijacking of other admin users, theft of sensitive customer data, or unauthorized modifications to products/orders.

🟢

If Mitigated

Limited impact with proper admin user vetting and monitoring, though still poses insider threat risk.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated admin access; public proof-of-concept demonstrates SVG file creation and upload.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.7 or later

Vendor Advisory: https://github.com/bagisto/bagisto/security/advisories

Restart Required: No

Instructions:

1. Update Bagisto to version 2.3.7 or later. 2. Run composer update. 3. Clear application cache. 4. Verify SVG upload validation is working.

🔧 Temporary Workarounds

Disable SVG uploads

all

Temporarily disable SVG file uploads in product creation

Modify Bagisto configuration to restrict file uploads to non-SVG formats

Implement content security policy

all

Add CSP headers to restrict script execution from uploaded files

Add Content-Security-Policy header with script-src 'self'

🧯 If You Can't Patch

Implement strict admin user access controls and monitoring
Deploy web application firewall with XSS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if running Bagisto 2.3.6 and test SVG upload with JavaScript payload in product creation

Check Version:

php artisan bagisto:version

Verify Fix Applied:

Verify version is 2.3.7+ and test that SVG files with script tags are rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual SVG file uploads in admin logs
Multiple failed login attempts followed by SVG upload

Network Indicators:

Unusual outbound connections after admin panel access
SVG files with script tags in upload traffic

SIEM Query:

source="bagisto_logs" AND (event="file_upload" AND file_extension="svg")

📊 Metadata

CVE ID: CVE-2025-60880

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:H

CWE: CWE-79

EPSS Score: 0.03% exploit probability (7th percentile)

Published: October 10, 2025

Last Updated: January 8, 2026

🔗 References

https://gist.github.com/daman-preet-singh/cd431f4c30a585bb87d3c69e4a8eec98 Exploit,Third Party Advisory
https://github.com/Shenal01/CVE-2025-60880 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60880, you might also want to check these: