CVE-2025-12920 is a cross-site scripting vulnerability identified in the qianfox FoxCMS content management system, affecting all versions up to 1.2.16. The vulnerability resides in the add/edit functionality of the Product.php controller file, where the Title parameter is improperly sanitized. This improper input validation allows an attacker to inject malicious JavaScript code remotely. The attack vector is network-based and does not require prior authentication, although user interaction is necessary to trigger the malicious script once injected. The vulnerability can be exploited by submitting crafted input to the Title field, which is then reflected without proper encoding in the web application’s response, enabling execution of arbitrary scripts in the context of the victim’s browser. The vendor was notified early but has not provided a patch or response, and a public exploit is available, increasing the risk of exploitation. The CVSS 4.0 base score is 4.8, reflecting medium severity, with factors including no required privileges but requiring user interaction and limited impact on confidentiality and integrity. This vulnerability can be leveraged for session hijacking, phishing, or delivering malware to users interacting with the affected FoxCMS sites. The lack of vendor remediation and public exploit availability make this a notable risk for organizations using FoxCMS.

The primary impact of CVE-2025-12920 is the potential compromise of user sessions and the execution of arbitrary scripts within the browsers of users visiting affected FoxCMS websites. This can lead to theft of sensitive information such as authentication tokens, unauthorized actions performed on behalf of users, defacement of websites, or redirection to malicious sites. For organizations, this undermines the integrity and trustworthiness of their web presence, potentially damaging reputation and leading to regulatory or compliance issues if user data is compromised. Although the vulnerability does not directly affect server availability or confidentiality of backend data, the indirect consequences of successful exploitation can be severe, including loss of customer trust and potential financial losses. The ease of remote exploitation without authentication increases the risk, especially since a public exploit exists. Organizations relying on FoxCMS for e-commerce, customer portals, or public-facing content are particularly vulnerable to targeted attacks or opportunistic exploitation by attackers scanning for vulnerable instances.

Given the absence of an official patch from the vendor, organizations should implement immediate mitigations to reduce risk. These include: 1) Applying strict input validation on the Title parameter to reject or sanitize suspicious characters such as script tags or event handlers before processing; 2) Implementing robust output encoding (e.g., HTML entity encoding) on all user-supplied input before rendering it in the browser to prevent script execution; 3) Employing Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS; 4) Monitoring web server and application logs for unusual input patterns or error messages indicative of attempted exploitation; 5) Restricting access to the add/edit product functionality to trusted administrators and enforcing multi-factor authentication to reduce the risk of unauthorized changes; 6) Considering temporary disabling or restricting the vulnerable functionality if feasible until a vendor patch is released; 7) Educating users and administrators about the risks of XSS and encouraging vigilance for suspicious activity. Organizations should also track vendor communications for updates and apply official patches promptly once available.