Wisenshop Cross Site Scripting

# Exploit Title: Wisenshop - Stored XSS
# Exploit Author: CraCkEr
# # Exploit Title: Wisenshop - Stored XSS
# Exploit Author: CraCkEr
# Date: 11-10-2025
# Author of Script: Wisencode Infotech
# Vendor: Wisencode Infotech
# Vendor Homepage: https://www.codester.com/items/53007/wisenshop-ecommerce-store-script
# Software Link: https://default-theme.wisenshop.com/
# Demo Link: https://default-theme.wisenshop.com/
# Tested on: Windows 11 Pro
# Impact: Manipulate the content of the site
# CWE: CWE-79 - CWE-94 - CWE-74
# VDB: VDB-329935
# CVE: CVE-2025-12264


## Description

Attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials


## Steps to Reproduce the Stored XSS Vulnerability:

1. Register on the target website as a standard user.
2. Log in using your newly created credentials.
3. Navigate to the Profile page: https://default-theme.wisenshop.com/profile
4. Click on "Create a Support Ticket" to access the ticket submission form: https://default-theme.wisenshop.com/support-ticket/create
5. Fill in arbitrary values for Email and Subject, and inject a malicious XSS payload into the Message field.
6. Submit the support ticket.

7. Log in as an admin and navigate to the Support Tickets section in the backend panel: https://default-theme.wisenshop.com/backend/tickets
8. Upon viewing the submitted ticket, the XSS payload executes in the admin?s browser.



[-] Done