CVE-2025-47289

Name of the Vulnerable Software and Affected Versions CE Phoenix versions 1.0.9.9 through 1.1.0.2

Description A stored cross-site scripting (XSS) issue was found in CE Phoenix, where an attacker can inject malicious JavaScript into the testimonial description field. If the shop owner approves the testimonial, the script executes in the context of any user visiting the testimonial page. The session cookies can be exfiltrated by the attacker because they are not marked with the HttpOnly flag, potentially leading to account takeover.

Recommendations For versions 1.0.9.9 through 1.1.0.2, update to version 1.1.0.3 to fix the issue. As a temporary workaround, consider restricting access to the testimonial description field until the update is applied.