CVE-2019-25265 MEDIUM

CVE-2019-25265: Online Inventory Manager 3.2 - Persistent Cross-Site Scripting

Vendor Bigprof

Product Online Inventory Manager

Weakness CWE-79 · XSS

Published February 3, 2026

Last update February 6, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Online Inventory Manager 3.2 contains a stored cross-site scripting vulnerability in the group description field of the admin edit groups section. Attackers can inject malicious JavaScript through the description field that will execute when the groups page is viewed, allowing potential cookie theft and client-side script execution.

Key dates

02Disclosure timeline

February 3, 2026 CVE published

February 6, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-25265 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2022-38703 WordPress Button Plugin MaxButtons plugin <= 9.2 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability CVE-2023-52192 WordPress Keap Official Opt-in Forms Plugin <= 1.0.11 is vulnerable to Cross Site Scripting (XSS) CVE-2025-23966 WordPress a Gateway for Pasargad Bank on WooCommerce Plugin <= 2.5.2 - Cross Site Scripting (XSS) vulnerability CVE-2024-56274 WordPress Astra Widgets plugin <= 1.2.15 - Cross Site Scripting (XSS) vulnerability CVE-2025-13217 Ultimate Member <= 2.11.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value'