CVE-2025-47204
published 2025-05-13CVE-2025-47204: An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary POST data. If…
PriorityP278medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
0.40%
32.2th percentile
An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| davidstutz | bootstrap_multiselect | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandalert(document.domain)
sigma
matchers: - type: dsl dsl: - 'contains(content_type, "text/html")' - 'contains_all(body, "alert(document.domain)", "bootstrap-multiselect-master")' condition: and
- →Look for HTTP responses with Content-Type 'text/html' that contain both 'alert(document.domain)' and 'bootstrap-multiselect-master' in the body, indicating reflected XSS via post.php.
- →The vulnerable script post.php echoes arbitrary POST data back to the client; monitor POST requests to post.php in bootstrap-multiselect deployments for unsanitized reflected output. ↗
- ·This vulnerability is only exploitable if a developer has deployed the example post.php script from the bootstrap-multiselect source in a live/production application; it is not present in the library itself by default. ↗
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vulncheck6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data
ghsa·2025-05-13
CVE-2025-47204 [MEDIUM] CWE-352 Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data
Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data
An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).
OSV
Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data
osv·2025-05-13
CVE-2025-47204 [MEDIUM] Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data
Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data
An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).
VulnCheck
davidstutz bootstrap_multiselect Cross-Site Request Forgery (CSRF)
vulncheck·2025·CVSS 6.1
CVE-2025-47204 [MEDIUM] davidstutz bootstrap_multiselect Cross-Site Request Forgery (CSRF)
davidstutz bootstrap_multiselect Cross-Site Request Forgery (CSRF)
An issue was discovered in post.php in bootstrap-multiselect (aka Bootstrap Multiselect) 1.1.2. A PHP script in the source code echoes arbitrary POST data. If a developer adopts this structure wholesale in a live application, it could create a Reflective Cross-Site Scripting (XSS) vulnerability exploitable through Cross-Site Request Forgery (CSRF).
Affected: davidstutz bootstrap_multiselect
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2025-07-21&host_type=src&vulnerability=cve-2025-47204; https://dashboard.sha
No detection rules found.
Nuclei
Bootstrap Multiselect <= 1.1.2 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2025-47204 [MEDIUM] Bootstrap Multiselect <= 1.1.2 - Cross-Site Scripting
Bootstrap Multiselect alert(document.domain)
matchers:
- type: dsl
dsl:
- 'contains(content_type, "text/html")'
- 'contains_all(body, "alert(document.domain)", "bootstrap-multiselect-master")'
condition: and
# digest: 4b0a00483046022100d2a6b14b97aa8517b71670c2cbe19e81606adbeb31ccdb691e9fe877da6f9e11022100aec34852518294f493021a54d75cd014db691f54aaa6a9546e20133541ac507d:922c64590222798bb761d5b6d8e72950
2025-05-13
Published
Exploited in the wild