CVE-2025-60880 is an authenticated stored cross-site scripting (XSS) vulnerability identified in the Bagisto e-commerce platform version 2.3.6, specifically within the admin panel's product creation path. The vulnerability arises because the application improperly sanitizes SVG file uploads, allowing an attacker with administrative privileges to upload a crafted SVG file embedding malicious JavaScript code. When this SVG is rendered in the admin panel, the embedded script executes in the context of the victim's browser session. This stored XSS can be leveraged to hijack admin sessions, steal sensitive data, or perform unauthorized actions within the admin interface. The CVSS 3.1 base score is 8.3, reflecting high severity due to the potential for confidentiality impact (high), integrity impact (low), and the requirement for high privileges (authenticated admin) and user interaction (viewing the malicious SVG). The vulnerability is scoped, affecting the Bagisto 2.3.6 version, and no patches or public exploits are currently available. The CWE classification is CWE-79, indicating improper neutralization of input during web page generation. This vulnerability highlights the risks of insufficient input validation and output encoding in file upload features, especially for SVG files which can contain executable scripts. Organizations using Bagisto 2.3.6 should assess their exposure and implement mitigations promptly.

For European organizations using Bagisto 2.3.6, this vulnerability poses a significant risk to the confidentiality and integrity of their e-commerce platforms. Successful exploitation could lead to administrative session hijacking, enabling attackers to manipulate product data, access sensitive customer information, or disrupt business operations. The stored nature of the XSS means that once a malicious SVG is uploaded, any admin viewing the affected product page could be compromised, potentially leading to widespread impact within the organization. Given the administrative level required to exploit this, insider threats or compromised admin credentials could be leveraged by attackers. The impact extends to reputational damage, regulatory non-compliance (e.g., GDPR breaches due to data theft), and financial losses. The lack of known public exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure. European e-commerce businesses relying on Bagisto should consider this vulnerability critical due to the direct impact on their operational security and customer trust.

1. Immediate mitigation should focus on restricting SVG file uploads in the admin panel or disabling SVG support entirely until a patch is available. 2. Implement strict server-side validation and sanitization of uploaded SVG files to remove any embedded scripts or potentially malicious content. 3. Apply Content Security Policy (CSP) headers that restrict script execution contexts and sources within the admin panel to limit the impact of any injected scripts. 4. Enforce multi-factor authentication (MFA) for all admin accounts to reduce the risk of credential compromise. 5. Monitor admin panel logs for unusual file uploads or access patterns indicative of exploitation attempts. 6. Educate administrators about the risks of opening or interacting with suspicious product entries or files. 7. Stay alert for official patches or updates from Bagisto and apply them promptly once released. 8. Consider implementing web application firewalls (WAF) with rules to detect and block malicious SVG payloads. 9. Regularly audit and review user privileges to ensure only necessary personnel have admin access. These steps provide layered defense beyond generic advice and address the specific attack vector of malicious SVG uploads.