CVE-2025-10075 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the SourceCodester Online Polling System. The vulnerability exists in the /manage-profile.php file, specifically in the handling of the 'firstname' parameter. An attacker can remotely manipulate this parameter to inject malicious scripts into the web application. This flaw allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser session without requiring authentication, although user interaction is needed to trigger the malicious script. The vulnerability is classified as reflected or stored XSS depending on the application context, but the exact type is unspecified. The CVSS 4.0 base score is 5.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, but user interaction is necessary. The impact primarily affects confidentiality and integrity by enabling session hijacking, credential theft, or defacement. Availability impact is low. The exploit code has been publicly released, increasing the risk of exploitation, although no confirmed active exploitation in the wild has been reported yet. The vulnerability stems from insufficient input validation or output encoding of user-supplied data in the firstname parameter, allowing script injection. Since the polling system is a web-based application likely used for gathering user opinions or votes, exploitation could lead to manipulation of poll results, phishing attacks against users, or distribution of malware via injected scripts. The lack of a vendor patch link indicates that a fix may not yet be available, emphasizing the need for immediate mitigation steps by administrators.

For European organizations using the SourceCodester Online Polling System 1.0, this vulnerability poses a moderate risk. Polling systems are often used in corporate, governmental, or community environments to collect feedback or votes, making them attractive targets for attackers seeking to influence outcomes or gather sensitive user data. Exploitation could lead to unauthorized access to user sessions, theft of credentials, or distribution of malicious payloads to users, undermining trust and potentially violating data protection regulations such as GDPR. The manipulation of poll data could affect decision-making processes or public opinion, especially in politically sensitive contexts. Additionally, compromised polling platforms could serve as entry points for broader attacks within an organization's network. The medium severity rating reflects that while the vulnerability requires user interaction and does not grant direct system control, the potential for reputational damage and data compromise is significant. Organizations in sectors such as public administration, political organizations, and enterprises relying on online polling should be particularly vigilant.

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, apply strict input validation and output encoding on the 'firstname' parameter in /manage-profile.php to neutralize script injection attempts. Web application firewalls (WAFs) should be configured to detect and block typical XSS payloads targeting this parameter. Administrators should review and restrict user input fields to allow only expected characters (e.g., alphabets) and employ Content Security Policy (CSP) headers to limit script execution sources. User awareness campaigns can reduce the risk by educating users not to click suspicious links or submit untrusted input. Monitoring web server logs for unusual requests to /manage-profile.php can help detect exploitation attempts. If possible, isolate the polling system from critical internal networks to limit lateral movement. Organizations should also track vendor communications for patches and plan timely updates once available. Finally, consider migrating to more secure, actively maintained polling platforms if feasible.