CVE-2025-40626

Name of the Vulnerable Software and Affected Versions AbanteCart version 1.4.0

Description A Reflected Cross-Site Scripting (XSS) issue allows an attacker to execute JavaScript code in a victim's browser by sending a malicious URL. This can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user, through the "/about us?[XSS PAYLOAD]" endpoint. The XSS PAYLOAD variable is used to inject malicious JavaScript code.

Recommendations For AbanteCart version 1.4.0, as a temporary workaround, consider restricting access to the "/about us" endpoint to minimize the risk of exploitation. Avoid using the XSS PAYLOAD variable in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.