CVE-2024-58296 MEDIUM

CVE-2024-58296: CE Phoenix v3.0.1 Stored Cross-Site Scripting via admin/currencies.php

Vendor Phoenixcart

Product CE Phoenix

Weakness CWE-79 · XSS

Published December 11, 2025

Last update December 16, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

CE Phoenix v3.0.1 contains a stored cross-site scripting vulnerability in the currencies administration panel that allows attackers to inject malicious scripts. Attackers can insert XSS payloads in the title field to execute arbitrary JavaScript when administrators view the currencies page.

Key dates

02Disclosure timeline

December 11, 2025 CVE published

December 16, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-58296 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-40730 HTML injection in Vox Media's Chorus CMS CVE-2025-14888 Simple User Meta Editor <= 1.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting via User Meta Value Field CVE-2024-29142 WordPress Better Search plugin <= 3.3.0 - Stored Cross Site Scripting (XSS) vulnerability CVE-2024-13292 Tooltip - Moderately critical - Cross site scripting - SA-CONTRIB-2024-058 CVE-2023-5577 Bitly's WordPress Plugin <= 2.7.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode