CVE-2025-11067 MEDIUM

CVE-2025-11067: Projectworlds Visitor Management System Add Visitor myform.php cross site scripting

Vendor Projectworlds

Product Visitor Management System

Weakness CWE-79 · XSS

Published September 27, 2025

Last update September 29, 2025

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

A vulnerability has been found in Projectworlds Visitor Management System 1.0. Affected is an unknown function of the file /myform.php of the component Add Visitor Page. The manipulation of the argument Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used.

Key dates

02Disclosure timeline

September 27, 2025 CVE published

September 29, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-11067 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-10165 AP Background <= 3.8.2 - Authenticated (Contributor+) Stored Cross-Site Scripting CVE-2026-1908 Integration with Hubspot Forms <= 1.2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CVE-2025-31471 WordPress Duplicate Page and Post plugin <= 1.0 - Cross Site Scripting (XSS) Vulnerability CVE-2025-67949 WordPress Hostiko theme < 94.3.6 - Cross Site Scripting (XSS) vulnerability CVE-2025-5235 OpenSheetMusicDisplay <= 1.4.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via className Parameter