CVE-2025-13795 identifies a cross-site scripting vulnerability in the codingWithElias School Management System, affecting versions up to commit f1ac334bfd89ae9067cc14dea12ec6ff3f078c01. The vulnerability exists in the /student-view.php file, specifically on the Edit Student Info Page, where the 'First Name' parameter is not properly sanitized or encoded before being reflected in the web page. This allows an attacker to inject malicious JavaScript code that executes in the context of the victim's browser. The vulnerability is remotely exploitable without requiring authentication, although user interaction is necessary to trigger the payload. The product uses a rolling release model, complicating version tracking and patch management. The vendor has not responded to disclosure attempts, and no official patches or updates have been released. Public exploit code is available, increasing the likelihood of exploitation. The vulnerability can be leveraged to steal session cookies, perform actions on behalf of authenticated users, or deliver further malware. Given the nature of school management systems, exploitation could compromise sensitive student and staff data, disrupt operations, or damage institutional reputation.

For European organizations, particularly educational institutions using the codingWithElias School Management System, this vulnerability poses a risk to confidentiality, integrity, and availability of sensitive student and administrative data. Attackers exploiting this XSS flaw could hijack user sessions, leading to unauthorized access to personal information, grades, and other protected records. The integrity of student data could be compromised by unauthorized modifications. Additionally, attackers could use the vulnerability as a foothold to deploy further attacks such as phishing or malware distribution within the school network. The lack of vendor response and absence of patches increase exposure time, raising the risk of targeted attacks. Disruption of school management operations could impact educational delivery and compliance with data protection regulations such as GDPR, potentially resulting in legal and financial consequences.

1. Implement strict input validation and output encoding on all user-supplied data, especially the 'First Name' field and other parameters in /student-view.php. 2. Deploy a Web Application Firewall (WAF) configured to detect and block common XSS attack patterns targeting the school management system. 3. Conduct thorough code reviews and security testing focusing on input handling in all components of the application. 4. Isolate the school management system within a segmented network zone to limit lateral movement if compromised. 5. Monitor logs and user activity for unusual behavior indicative of exploitation attempts. 6. Educate administrative users about the risks of clicking on suspicious links or executing untrusted scripts. 7. If possible, apply temporary patches or workarounds such as disabling the vulnerable input fields or restricting editing privileges until an official fix is released. 8. Engage with the vendor or consider alternative solutions if timely remediation is not forthcoming.