CVE-2025-47204 Scanner

Bootstrap Multiselect is a jQuery plugin that transforms standard select boxes into interactive, user-friendly multiselect dropdowns. It is commonly used in web applications for enhanced form inputs, supporting multiple selections with checkboxes, filtering, and UI customization. Developers often adopt the plugin’s sample code from its GitHub repository for quick integration. The plugin includes demo pages and supporting PHP scripts to showcase its functionality during development.

In versions ≤ 1.1.2 of Bootstrap Multiselect, a bundled `post.php` demo script contains insecure echoing of raw POST input. If developers include this script directly in production environments without proper sanitization, it creates a Reflective Cross-Site Scripting (XSS) vulnerability. Attackers can exploit this by sending crafted requests that inject JavaScript into the response, potentially in combination with Cross-Site Request Forgery (CSRF). The vulnerable script reflects unsanitized input directly into an HTML page, enabling script execution in the victim's browser context.

Technical analysis of the vulnerable script reveals that user-supplied POST data is echoed directly back into the response without HTML escaping. This allows arbitrary HTML/JS payloads to be injected and rendered, making it possible to execute JavaScript via a simple POST request. Since the script is intended as a demo, this vulnerability is only present if copied to live systems without modification. Exploitation is confirmed by observing script execution (e.g., `alert(document.domain)`) and the presence of identifying elements from the plugin.

If exploited, this vulnerability may allow attackers to execute arbitrary scripts in the context of the victim’s browser session. This could result in session hijacking, theft of sensitive data, unauthorized actions on behalf of the user, or UI redressing. The risk is elevated in environments where demo code is inadvertently deployed in production. Cross-site scripting can also be leveraged to escalate to more severe attacks like phishing, keylogging, or spreading malware through injected content.

REFERENCES

• https://nvd.nist.gov/vuln/detail/CVE-2025-47204