CVE-2025-40701 MEDIUM

CVE-2025-40701: Reflected Cross-Site scripting (XSS) in SOTE's SOTESHOP

Vendor Sote

Product SOTESHOP

Weakness CWE-79 · XSS

Published February 23, 2026

Last update February 24, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Reflected Cross-Site Scripting vulnerability in SOTESHOP, version 8.3.4. THis vulnerability allows an attacker execute JavaScript code in the victim's browser when a malicious URL with the 'id' parameter in '/adsTracker/checkAds' is sent to the victim. The vulnerability can be exploited to steal sensitive user information such as session cookies, or to perform actions on their behalf.

Key dates

02Disclosure timeline

February 23, 2026 CVE published

February 24, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-40701 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2023-29306 Adobe Connect Reflected Cross-Site Scripting (XSS) Arbitrary code execution CVE-2025-34316 IPFire < v2.29 Stored XSS via Mail Server Settings CVE-2026-5340 Fancy Image Show <= 9.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CVE-2025-69051 WordPress ListingPro Reviews theme <= 1.7 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-43284 WordPress WP Travel Gutenberg Blocks plugin <= 3.5.1 - Cross Site Scripting (XSS) vulnerability