{"id":51238,"date":"2026-05-04T11:51:19","date_gmt":"2026-05-04T11:51:19","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=51238"},"modified":"2026-05-04T11:51:19","modified_gmt":"2026-05-04T11:51:19","slug":"ultimatepos-48-cross-site-scripting","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=51238","title":{"rendered":"\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting_PACKETSTORM:220281"},"content":{"rendered":"

{“lastseen”:”2026-05-04T15:32:40″,”description”:”The administrative panel in UltimatePOS version 4.8 suffers from a persistent cross site scripting vulnerability…”,”published”:”2026-05-04T00:00:00″,”modified”:”2026-05-04T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:220281″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-40980″,”CVE-2025-60503″],”sourceData”:”# CVE-2025-60503 \u2014 Stored Cross-Site Scripting (XSS) in UltimatePOS (UltimateFosters) v4.8\\n \\n **Publication date:** 2025-10-30 \\n **CVE ID:** CVE-2025-60503 *(RESERVED)* \\n **Researcher:** Vivien Lebas \\n **Vendor:** UltimateFosters \\n **Product:** [UltimatePOS](https:\/\/codecanyon.net\/item\/ultimate-pos-stock-management-point-of-sale-application\/21216332) \\n **Affected version:** 4.8 \\n **Vulnerability type:** Stored Cross-Site Scripting (XSS) \\n **Severity:** High \\n \\n —\\n \\n ## Overview\\n \\n A **Stored XSS** vulnerability exists in the **UltimatePOS** admin panel (v4.8). \\n The `Reference No.` field in the **Purchases** module accepts unsanitized user input, which is later rendered without proper escaping in the **Reports \u2192 Activity Log** page.\\n \\n This allows an attacker with admin access to execute arbitrary JavaScript in the context of another administrator\u2019s browser session.\\n \\n —\\n \\n ## Affected components\\n \\n Purchases \u2192 List Purchases \u2192 + Add\\n Reports \u2192 Activity Log\\n \\n \\n —\\n \\n ## Technical details\\n \\n When adding a new purchase, the `Reference No.` field value is stored directly and then reflected in the activity log view. \\n Because the output is not escaped, any embedded HTML\/JavaScript executes when the log is viewed.\\n \\n —\\n \\n ## Proof of Concept (PoC)\\n \\n \\u003e \u26a0\ufe0f **For testing purposes only** \u2013 do not use this PoC on production systems.\\n \\n 1. Log in as an administrator \\n 2. Navigate to: \\n \\n Purchases \u2192 List Purchases \u2192 + Add\\n \\n 3. In the **Reference No.** field, insert:\\n \\n `\\u003cscript\\u003ealert(‘XSS’)\\u003c\/script\\u003e`\\n \\n Fill all required fields, then click Save\\n Navigate to:\\n Reports \u2192 Activity Log\\n The alert box appears \u2014 JavaScript executed successfully (stored XSS confirmed)\\n \\n Impact\\n Impact\\tDescription\\n Code execution\\tArbitrary JS runs in the admin browser context\\n Session hijacking\\tAttacker may steal session tokens\\n Data theft\\tExfiltration of sensitive admin data possible\\n Phishing\\tFake UI overlays or redirection attacks possible\\n Mitigation \\u0026 Recommendations\\n \\n For vendor:\\n \\n Sanitize and validate all user input (especially Reference No.)\\n \\n Encode output before rendering dynamic values in HTML\\n \\n Enforce Content Security Policy (CSP) headers\\n \\n Secure cookies (HttpOnly, SameSite=strict)\\n \\n For users:\\n \\n Restrict admin access to trusted users\\n \\n Avoid shared admin accounts\\n \\n Monitor activity logs for suspicious payloads\\n \\n Apply patches immediately once vendor releases them\\n \\n \\n \\n \\n Credits\\n \\n Researcher: Vivien Lebas\\n \\n CVE ID: CVE-2025-60503\\n \\n Product: UltimatePOS by UltimateFosters\\n References\\n \\n Vendor: https:\/\/ultimatefosters.com\\n \\n Product listing: UltimatePOS (CodeCanyon #21216332)\\n \\n CVE entry (pending): CVE-2025-60503 \u2014 RESERVED\\n \\n Note: This vulnerability differs from CVE-2025-40980, which affects a different component of the same product.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/220281″,”cvss”:{“score”:8.7,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:R\/S:C\/C:H\/I:H\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/220281\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-05-04T15:32:40″,”description”:”The administrative panel in UltimatePOS version 4.8 suffers from a persistent cross site scripting vulnerability…”,”published”:”2026-05-04T00:00:00″,”modified”:”2026-05-04T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:220281″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-40980″,”CVE-2025-60503″],”sourceData”:”# CVE-2025-60503 \u2014 Stored Cross-Site Scripting…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,19,12,15,13,53,7,11,5],"class_list":["post-51238","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-87","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting_PACKETSTORM:220281 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=51238\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting_PACKETSTORM:220281 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-05-04T15:32:40″,”description”:”The administrative panel in UltimatePOS version 4.8 suffers from a persistent cross site scripting vulnerability…”,”published”:”2026-05-04T00:00:00″,”modified”:”2026-05-04T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:220281″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-40980″,”CVE-2025-60503″],”sourceData”:”# CVE-2025-60503 \u2014 Stored Cross-Site Scripting...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=51238\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-04T11:51:19+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=51238#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=51238\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting_PACKETSTORM:220281\",\"datePublished\":\"2026-05-04T11:51:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=51238\"},\"wordCount\":589,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-8.7\",\"exploit\",\"HIGH\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=51238#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=51238\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=51238\",\"name\":\"\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting_PACKETSTORM:220281 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-05-04T11:51:19+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=51238#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=51238\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=51238#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting_PACKETSTORM:220281\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting_PACKETSTORM:220281 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=51238","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting_PACKETSTORM:220281 - zero redgem","og_description":"{“lastseen”:”2026-05-04T15:32:40″,”description”:”The administrative panel in UltimatePOS version 4.8 suffers from a persistent cross site scripting vulnerability…”,”published”:”2026-05-04T00:00:00″,”modified”:”2026-05-04T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:220281″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-40980″,”CVE-2025-60503″],”sourceData”:”# CVE-2025-60503 \u2014 Stored Cross-Site Scripting...","og_url":"https:\/\/zero.redgem.net\/?p=51238","og_site_name":"zero redgem","article_published_time":"2026-05-04T11:51:19+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=51238#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=51238"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting_PACKETSTORM:220281","datePublished":"2026-05-04T11:51:19+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=51238"},"wordCount":589,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-8.7","exploit","HIGH","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=51238#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=51238","url":"https:\/\/zero.redgem.net\/?p=51238","name":"\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting_PACKETSTORM:220281 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-05-04T11:51:19+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=51238#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=51238"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=51238#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 UltimatePOS 4.8 Cross Site Scripting_PACKETSTORM:220281"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/51238","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=51238"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/51238\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=51238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=51238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=51238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}