CVE-2025-13450 identifies a Cross Site Scripting (XSS) vulnerability in the SourceCodester Online Shop Project version 1.0, specifically within the /shop/register.php file. The vulnerability arises from improper handling of the f_name parameter, which allows an attacker to inject malicious scripts that are executed in the context of the victim’s browser. This flaw can be exploited remotely without requiring authentication, although user interaction is necessary for the attack to succeed (e.g., a victim clicking a crafted link). The vulnerability impacts confidentiality and integrity by enabling attackers to steal session cookies, perform actions on behalf of users, or conduct phishing attacks by injecting deceptive content. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), user interaction required (UI:P), and limited impact on confidentiality and integrity (VC:N, VI:L). No known exploits have been reported in the wild, but public disclosure increases the risk of exploitation. The absence of patches or vendor advisories suggests that organizations must implement their own mitigations. The vulnerability is typical of reflected or stored XSS issues common in web applications that fail to properly sanitize user inputs before rendering them in HTML contexts.

For European organizations, the impact of this XSS vulnerability can be significant, especially for those operating e-commerce platforms or customer-facing web applications based on or similar to SourceCodester Online Shop Project. Exploitation could lead to session hijacking, allowing attackers to impersonate legitimate users and potentially access sensitive personal or payment information. It could also facilitate phishing attacks by injecting malicious scripts that alter the appearance or behavior of the website, undermining customer trust and brand reputation. While the vulnerability does not directly compromise server integrity or availability, the indirect consequences such as data leakage, fraud, and regulatory non-compliance (e.g., GDPR violations) could result in financial penalties and legal consequences. The medium severity rating reflects a moderate risk that should be addressed promptly to prevent exploitation. Organizations with large user bases or handling sensitive customer data are at greater risk.

To mitigate CVE-2025-13450, organizations should implement strict input validation and output encoding on the f_name parameter and any other user-supplied inputs in the /shop/register.php file. Specifically, applying context-aware encoding (e.g., HTML entity encoding) before rendering user inputs in web pages will prevent script execution. Employing a Web Application Firewall (WAF) with rules to detect and block XSS payloads can provide an additional layer of defense. Regularly scanning the application with automated security testing tools to identify similar injection flaws is recommended. If possible, update or patch the SourceCodester Online Shop Project to a version that addresses this vulnerability once available. Educate developers on secure coding practices to avoid introducing XSS vulnerabilities in future releases. Monitoring web server logs and user reports for suspicious activity related to the registration page can help detect exploitation attempts early. Finally, consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers.