CVE-2025-13469 identifies a cross-site scripting (XSS) vulnerability in the Public Knowledge Project's Open Monograph Press (OMP) software, specifically affecting versions 3.3.0, 3.4.0, and 3.5.0. The flaw exists in the paymentForm.tpl template file within the Payment Instructions Setting Handler component, where the manualInstructions parameter is not properly sanitized or encoded before being rendered in the web interface. This improper handling allows an attacker to inject arbitrary JavaScript code that executes in the context of the victim's browser when they view the affected page. The vulnerability can be exploited remotely without requiring authentication, although it requires user interaction such as clicking a malicious link or visiting a compromised page. The CVSS 4.8 score reflects that the attack vector is network-based with low attack complexity, no privileges required, but user interaction is necessary. The impact primarily affects confidentiality and integrity by enabling session hijacking, theft of cookies or credentials, and potential defacement or redirection to malicious sites. No known exploits have been reported in the wild as of the publication date. The vulnerability highlights the importance of secure coding practices, particularly input validation and output encoding in web templates handling user-supplied data. Remediation involves upgrading to patched versions of OMP once released and applying secure coding mitigations to prevent script injection.

For European organizations, especially academic institutions, research centers, and publishers that utilize Public Knowledge Project's OMP software for managing monographs and scholarly content, this vulnerability poses a tangible risk. Successful exploitation could lead to unauthorized access to user sessions, theft of sensitive credentials, and manipulation of payment instructions, potentially undermining trust in the platform. The impact on confidentiality and integrity could compromise user data and institutional reputation. Although the vulnerability does not directly affect availability, indirect effects such as defacement or phishing could disrupt normal operations. Given the widespread use of OMP in European academic environments, the threat could affect a significant number of users and stakeholders. The absence of known exploits reduces immediate risk but should not lead to complacency. Attackers could leverage this vulnerability in targeted phishing campaigns or supply chain attacks against European academic ecosystems.

European organizations should prioritize upgrading Public Knowledge Project OMP installations to versions beyond 3.5.0 once patches addressing CVE-2025-13469 are released. Until patches are available, administrators should implement strict input validation and output encoding on the manualInstructions parameter within the paymentForm.tpl template to neutralize script injection attempts. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts in browsers. Conduct thorough code reviews focusing on template rendering logic to identify and remediate similar injection vectors. Educate users to be cautious of unsolicited links or unexpected payment instruction pages to reduce the risk of social engineering exploitation. Monitor web server logs for unusual requests targeting the payment instructions handler. Additionally, consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this component. Regularly audit and update all third-party components and dependencies to maintain a secure environment.