CVE-2025-13469 identifies a cross-site scripting vulnerability in the Public Knowledge Project's Open Monograph Press (OMP) software, specifically in versions 3.3.0, 3.4.0, and 3.5.0. The vulnerability resides in the paymentForm.tpl template file within the Payment Instructions Setting Handler component. The issue arises from improper handling of the manualInstructions argument, which can be manipulated by an attacker to inject malicious JavaScript code. This XSS flaw allows remote attackers to craft malicious URLs or input that, when viewed by legitimate users, execute arbitrary scripts in their browsers. The attack vector does not require authentication, increasing the exposure risk, but does require user interaction to trigger the payload, such as clicking a malicious link or viewing a compromised page. The impact primarily affects the confidentiality and integrity of user sessions, potentially enabling session hijacking, credential theft, or phishing. The vulnerability does not affect system availability and does not require elevated privileges to exploit. No known exploits have been reported in the wild as of the publication date. The vulnerability has been assigned a CVSS 4.0 base score of 4.8, reflecting its medium severity. The recommended remediation is to upgrade the affected OMP versions to a patched release once available or implement strict input validation and output encoding on the manualInstructions parameter to prevent script injection.

For European organizations, particularly academic institutions, research centers, and publishers using the Public Knowledge Project's OMP software, this vulnerability poses a risk to user data confidentiality and integrity. Exploitation could lead to session hijacking, allowing attackers to impersonate legitimate users, potentially accessing sensitive academic content or administrative functions. Phishing attacks leveraging this vulnerability could deceive users into divulging credentials or other sensitive information. While the vulnerability does not directly impact system availability, the reputational damage and potential data breaches could have significant consequences. Given the widespread use of OMP in European academic publishing, the threat could affect a broad user base, including researchers, authors, and administrative staff. The remote and unauthenticated nature of the attack vector increases the likelihood of exploitation attempts, especially if attackers target institutions with less stringent web security controls. However, the requirement for user interaction somewhat limits the attack's scope. Organizations failing to address this vulnerability may face compliance issues with data protection regulations such as GDPR if user data is compromised.

Organizations should prioritize upgrading their OMP installations to versions beyond 3.5.0 once the vendor releases a patch addressing CVE-2025-13469. Until an official patch is available, administrators should implement strict input validation and output encoding on the manualInstructions parameter to neutralize malicious script injections. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting the execution of unauthorized scripts. Regularly auditing and monitoring web application logs for suspicious activities related to payment instructions can help detect exploitation attempts early. User education is also critical; training users to recognize phishing attempts and avoid clicking on suspicious links reduces the risk of successful exploitation. Additionally, deploying web application firewalls (WAFs) with rules targeting XSS payloads can provide an additional layer of defense. Finally, organizations should review and harden their overall web security posture, including secure coding practices and periodic vulnerability assessments, to prevent similar issues.