CVE-2025-60880 is an authenticated stored cross-site scripting (XSS) vulnerability identified in the Bagisto 2.3.6 e-commerce platform's admin panel, specifically within the product creation workflow. The vulnerability arises because the application allows authenticated admin users to upload SVG files without adequate sanitization or validation. SVG files can embed JavaScript code, and when such a crafted SVG is uploaded and later rendered in the admin interface, the malicious script executes in the context of the victim's browser session. This stored XSS enables attackers to perform actions such as session hijacking, stealing sensitive data, or executing unauthorized commands within the admin panel. The attack requires the attacker to have high privileges (admin access) and involves user interaction to trigger the payload, as indicated by the CVSS vector (UI:R). The vulnerability has a CVSS 3.1 base score of 8.3, reflecting high impact on confidentiality and moderate impact on integrity, with low attack complexity and network attack vector. No patches or public exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly. The scope is limited to Bagisto 2.3.6 installations with admin users who can upload product images or assets. This vulnerability highlights the risks of insufficient input validation and the dangers of allowing SVG uploads without proper sanitization in web applications.

For European organizations using Bagisto 2.3.6 as their e-commerce platform, this vulnerability poses a significant risk to the confidentiality and integrity of their administrative operations. Successful exploitation could lead to session hijacking of admin accounts, enabling attackers to manipulate product data, access sensitive customer information, or disrupt business operations. This could result in financial losses, reputational damage, and regulatory non-compliance, especially under GDPR requirements for data protection. The requirement for authenticated admin access limits the attack surface but does not eliminate risk, as insider threats or compromised admin credentials could be leveraged. Additionally, the stored nature of the XSS means that multiple admin users could be affected once the malicious SVG is uploaded. Given the increasing reliance on e-commerce platforms in Europe, the impact could extend to supply chain disruptions and customer trust erosion.

European organizations should implement the following specific mitigations: 1) Immediately restrict or disable SVG file uploads in the Bagisto admin panel until a secure patch is available. 2) Apply rigorous server-side sanitization of SVG files to remove any embedded scripts or potentially malicious content before allowing uploads. 3) Enforce strict Content Security Policy (CSP) headers to limit the execution of inline scripts and reduce the impact of XSS attacks. 4) Conduct regular audits of admin user accounts to detect unauthorized access or privilege escalation. 5) Monitor logs for suspicious upload activity or unusual admin panel behavior. 6) Educate administrators about the risks of uploading untrusted files and enforce multi-factor authentication to reduce the risk of credential compromise. 7) Stay updated with Bagisto vendor advisories and apply official patches as soon as they are released. 8) Consider implementing web application firewalls (WAFs) with rules to detect and block malicious SVG payloads. These measures go beyond generic advice by focusing on the specific vector and context of this vulnerability.