CVE-2025-13802 identifies a cross-site scripting (XSS) vulnerability in the jairiidriss RestaurantWebsite, specifically within the 'Make a Reservation' feature. The vulnerability is caused by insufficient input validation and output encoding of the 'selected_date' parameter, which can be manipulated by remote attackers to inject malicious JavaScript code. This flaw allows attackers to execute scripts in the context of the victim's browser, potentially leading to session hijacking, credential theft, or redirection to malicious sites. The vulnerability does not require authentication and can be exploited remotely, but user interaction is necessary to trigger the malicious payload. The product follows a continuous delivery model with rolling releases, complicating version tracking and patch management. The vendor has not responded to early notifications, and no patches or updated releases are currently available. The CVSS 4.0 base score is 5.3 (medium), reflecting the network attack vector, low complexity, no privileges required, but requiring user interaction and causing limited integrity impact. No known exploits are currently in the wild, but public disclosure increases the risk of exploitation attempts. The lack of vendor response and patch availability increases the urgency for organizations to implement compensating controls.

For European organizations, this vulnerability poses a risk primarily to those operating or managing online restaurant reservation platforms using the jairiidriss RestaurantWebsite or similar software. Successful exploitation could compromise user session data, enabling attackers to impersonate users or steal sensitive information such as personal details or reservation data. This can lead to reputational damage, loss of customer trust, and potential regulatory consequences under GDPR if personal data is compromised. Additionally, attackers could use the vulnerability to deliver phishing payloads or malware, increasing the risk of broader network compromise. The hospitality sector in Europe is significant, and many restaurants rely on online booking systems, making this vulnerability a potential vector for targeted attacks. The continuous delivery model and lack of vendor patching complicate timely remediation, increasing exposure duration. Organizations may also face indirect impacts such as increased support costs and customer dissatisfaction due to exploitation consequences.

Organizations should immediately implement strict input validation and output encoding on the 'selected_date' parameter to prevent script injection. Employing a web application firewall (WAF) with custom rules to detect and block XSS payloads targeting this parameter can provide an effective interim defense. Regularly monitor web server logs and application behavior for signs of exploitation attempts or anomalous activity related to reservation inputs. If possible, isolate the reservation system from other critical infrastructure to limit lateral movement in case of compromise. Educate users and staff about phishing risks associated with XSS attacks to reduce the likelihood of successful social engineering. Engage in active threat intelligence sharing to stay informed about emerging exploits targeting this vulnerability. Finally, consider migrating to alternative, well-maintained reservation platforms if vendor support remains absent and patches are not forthcoming.