CVE-2019-25739 MEDIUM

CVE-2019-25739: GigToDo Freelance Marketplace Script 1.3 Persistent XSS

Vendor Gigtodoscript

Product GigToDo

Weakness CWE-79 · XSS

Published June 4, 2026

Last update June 10, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

GigToDo 1.3 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious JavaScript and HTML code through the proposal description field. Attackers can craft XSS payloads in the create_proposal endpoint that execute when administrators or other users view the stored proposal, enabling cookie theft and malicious redirects.

Key dates

02Disclosure timeline

June 4, 2026 CVE published

June 10, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2019-25739 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2023-40196 WordPress ImageRecycle pdf & image compression Plugin <= 3.1.11 is vulnerable to Cross Site Scripting (XSS) CVE-2025-66492 Masa CMS vulnerable to Cross-Site Scripting (XSS) through URL Parameter CVE-2021-36910 WordPress WP-Appbox plugin <= 4.3.20 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability CVE-2024-24932 WordPress VK Poster Group Plugin <= 2.0.3 is vulnerable to Cross Site Scripting (XSS) CVE-2025-9030 Majestic Before After Image <= 2.0.2 - Authenticated (Contributor+) Stored Cross-Site Scripting