8.7
/ 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Description
The administrative panel in UltimatePOS version 4.8 suffers from a persistent cross site scripting vulnerability...
Basic Information
ID
PACKETSTORM:220281
Published
May 4, 2026 at 00:00
Affected Product
Affected Versions
# CVE-2025-60503 β Stored Cross-Site Scripting (XSS) in UltimatePOS (UltimateFosters) v4.8
**Publication date:** 2025-10-30
**CVE ID:** CVE-2025-60503 *(RESERVED)*
**Researcher:** Vivien Lebas
**Vendor:** UltimateFosters
**Product:** [UltimatePOS](https://codecanyon.net/item/ultimate-pos-stock-management-point-of-sale-application/21216332)
**Affected version:** 4.8
**Vulnerability type:** Stored Cross-Site Scripting (XSS)
**Severity:** High
---
## Overview
A **Stored XSS** vulnerability exists in the **UltimatePOS** admin panel (v4.8).
The `Reference No.` field in the **Purchases** module accepts unsanitized user input, which is later rendered without proper escaping in the **Reports β Activity Log** page.
This allows an attacker with admin access to execute arbitrary JavaScript in the context of another administratorβs browser session.
---
## Affected components
Purchases β List Purchases β + Add
Reports β Activity Log
---
## Technical details
When adding a new purchase, the `Reference No.` field value is stored directly and then reflected in the activity log view.
Because the output is not escaped, any embedded HTML/JavaScript executes when the log is viewed.
---
## Proof of Concept (PoC)
> β οΈ **For testing purposes only** β do not use this PoC on production systems.
1. Log in as an administrator
2. Navigate to:
Purchases β List Purchases β + Add
3. In the **Reference No.** field, insert:
`<script>alert('XSS')</script>`
Fill all required fields, then click Save
Navigate to:
Reports β Activity Log
The alert box appears β JavaScript executed successfully (stored XSS confirmed)
Impact
Impact Description
Code execution Arbitrary JS runs in the admin browser context
Session hijacking Attacker may steal session tokens
Data theft Exfiltration of sensitive admin data possible
Phishing Fake UI overlays or redirection attacks possible
Mitigation & Recommendations
For vendor:
Sanitize and validate all user input (especially Reference No.)
Encode output before rendering dynamic values in HTML
Enforce Content Security Policy (CSP) headers
Secure cookies (HttpOnly, SameSite=strict)
For users:
Restrict admin access to trusted users
Avoid shared admin accounts
Monitor activity logs for suspicious payloads
Apply patches immediately once vendor releases them
Credits
Researcher: Vivien Lebas
CVE ID: CVE-2025-60503
Product: UltimatePOS by UltimateFosters
References
Vendor: https://ultimatefosters.com
Product listing: UltimatePOS (CodeCanyon #21216332)
CVE entry (pending): CVE-2025-60503 β RESERVED
Note: This vulnerability differs from CVE-2025-40980, which affects a different component of the same product.
**Publication date:** 2025-10-30
**CVE ID:** CVE-2025-60503 *(RESERVED)*
**Researcher:** Vivien Lebas
**Vendor:** UltimateFosters
**Product:** [UltimatePOS](https://codecanyon.net/item/ultimate-pos-stock-management-point-of-sale-application/21216332)
**Affected version:** 4.8
**Vulnerability type:** Stored Cross-Site Scripting (XSS)
**Severity:** High
---
## Overview
A **Stored XSS** vulnerability exists in the **UltimatePOS** admin panel (v4.8).
The `Reference No.` field in the **Purchases** module accepts unsanitized user input, which is later rendered without proper escaping in the **Reports β Activity Log** page.
This allows an attacker with admin access to execute arbitrary JavaScript in the context of another administratorβs browser session.
---
## Affected components
Purchases β List Purchases β + Add
Reports β Activity Log
---
## Technical details
When adding a new purchase, the `Reference No.` field value is stored directly and then reflected in the activity log view.
Because the output is not escaped, any embedded HTML/JavaScript executes when the log is viewed.
---
## Proof of Concept (PoC)
> β οΈ **For testing purposes only** β do not use this PoC on production systems.
1. Log in as an administrator
2. Navigate to:
Purchases β List Purchases β + Add
3. In the **Reference No.** field, insert:
`<script>alert('XSS')</script>`
Fill all required fields, then click Save
Navigate to:
Reports β Activity Log
The alert box appears β JavaScript executed successfully (stored XSS confirmed)
Impact
Impact Description
Code execution Arbitrary JS runs in the admin browser context
Session hijacking Attacker may steal session tokens
Data theft Exfiltration of sensitive admin data possible
Phishing Fake UI overlays or redirection attacks possible
Mitigation & Recommendations
For vendor:
Sanitize and validate all user input (especially Reference No.)
Encode output before rendering dynamic values in HTML
Enforce Content Security Policy (CSP) headers
Secure cookies (HttpOnly, SameSite=strict)
For users:
Restrict admin access to trusted users
Avoid shared admin accounts
Monitor activity logs for suspicious payloads
Apply patches immediately once vendor releases them
Credits
Researcher: Vivien Lebas
CVE ID: CVE-2025-60503
Product: UltimatePOS by UltimateFosters
References
Vendor: https://ultimatefosters.com
Product listing: UltimatePOS (CodeCanyon #21216332)
CVE entry (pending): CVE-2025-60503 β RESERVED
Note: This vulnerability differs from CVE-2025-40980, which affects a different component of the same product.