CVE-2025-13802 is a cross-site scripting (XSS) vulnerability identified in the jairiidriss RestaurantWebsite, specifically within the 'Make a Reservation' feature. The vulnerability stems from improper handling of the 'selected_date' parameter, which is susceptible to injection of malicious scripts. This flaw allows remote attackers to execute arbitrary JavaScript in the context of the victim's browser without requiring authentication, though user interaction (such as clicking a malicious link) is necessary. The vulnerability was publicly disclosed on December 1, 2025, with a CVSS 4.0 base score of 5.3, indicating medium severity. The continuous delivery and rolling release model employed by the vendor complicates version tracking and patch availability, and the vendor has not responded to disclosure attempts. Exploitation could enable attackers to steal session cookies, perform phishing attacks, or manipulate website content, thereby compromising user confidentiality and integrity. No known exploits are currently observed in the wild, but the public disclosure increases the risk of exploitation. The lack of vendor response and absence of patches necessitate proactive mitigation by affected organizations. The vulnerability does not affect system availability directly but poses a significant risk to user data and trust. The attack vector is network-based with low attack complexity and no privileges required, but user interaction is necessary. This vulnerability highlights the importance of secure input validation and output encoding in web applications, especially those handling user-generated data in interactive features like reservations.

For European organizations using the jairiidriss RestaurantWebsite platform, this XSS vulnerability can lead to several adverse impacts. Attackers could hijack user sessions, steal sensitive personal information, or conduct phishing campaigns by injecting malicious scripts into the reservation system. This undermines customer trust and can result in reputational damage, especially critical in the hospitality industry where customer experience is paramount. Additionally, compromised user data may lead to regulatory non-compliance issues under GDPR, exposing organizations to legal and financial penalties. The vulnerability does not directly affect system availability but can indirectly cause service disruptions if exploited at scale or used to deliver malware. Since the vulnerability requires user interaction, social engineering tactics could be employed to maximize impact. European restaurants and hospitality businesses relying on this platform or similar web applications are at risk of targeted attacks, particularly in countries with large tourism sectors. The lack of vendor patches increases the window of exposure, necessitating immediate defensive measures. Overall, the threat poses a moderate risk to confidentiality and integrity of customer data and business operations within Europe.

To mitigate CVE-2025-13802, organizations should implement strict input validation and output encoding on the 'selected_date' parameter within the 'Make a Reservation' feature to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Conduct thorough code reviews and penetration testing focusing on user input handling in reservation workflows. Monitor web application logs and user activity for signs of suspicious behavior or exploitation attempts. Educate staff and users about the risks of clicking unknown or suspicious links to reduce successful social engineering. If possible, isolate or sandbox the reservation component to limit the scope of any potential compromise. Consider deploying Web Application Firewalls (WAFs) with rules tailored to detect and block XSS payloads targeting this parameter. Given the vendor's lack of response, organizations should explore alternative platforms or custom patches to address the vulnerability. Finally, maintain up-to-date backups and incident response plans to quickly recover from any successful exploitation.