CVE-2025-15451 is a cross-site scripting vulnerability identified in the xnx3 wangmarket product, affecting all versions from 4.0 to 4.9. The vulnerability resides in the /admin/system/variableSave.do endpoint, specifically within the System Variables Page component. An attacker can manipulate the Description parameter to inject malicious JavaScript code. This injection occurs because the input is not properly sanitized or encoded before being reflected in the web interface. The attack vector is remote, meaning an attacker can exploit this flaw over the network without physical access. However, the CVSS vector indicates that exploitation requires high privileges (PR:H) and user interaction (UI:P), suggesting that the attacker must have some level of authenticated access or trick an authenticated user into executing the payload. The vulnerability does not affect confidentiality or availability significantly but impacts integrity and user trust by enabling script execution in the context of an administrator’s session. The vendor was notified early but has not issued a patch or response, and no known exploits have been observed in the wild yet. This lack of vendor response increases the risk of exploitation as attackers may develop exploits independently. The CVSS score of 4.8 reflects a medium severity, balancing the ease of exploitation with the requirement for privileges and user interaction. The vulnerability could be leveraged for session hijacking, privilege escalation, or unauthorized administrative actions if exploited successfully.

For European organizations, this vulnerability poses a moderate risk primarily to the integrity and security of administrative interfaces. If exploited, attackers could execute arbitrary scripts within the context of an administrator’s browser session, potentially leading to session hijacking, unauthorized configuration changes, or deployment of further malware. This could disrupt business operations, compromise sensitive data, and damage organizational reputation. The impact is heightened in sectors where xnx3 wangmarket is used to manage critical e-commerce or internal systems. Since exploitation requires high privileges and user interaction, the threat is more significant in environments with multiple administrators or where phishing/social engineering attacks are feasible. The absence of a vendor patch increases the urgency for organizations to implement compensating controls. Failure to address this vulnerability could lead to targeted attacks against European companies using this software, especially those with exposed administrative interfaces.

1. Immediately restrict access to the /admin/system/variableSave.do endpoint to trusted IP addresses or VPN-only access to reduce exposure. 2. Implement strict input validation and output encoding on the Description parameter to prevent script injection, if modifying the application is possible. 3. Employ web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting this endpoint. 4. Educate administrators about phishing and social engineering risks to reduce successful user interaction exploitation. 5. Monitor administrative logs and network traffic for unusual activities indicative of exploitation attempts. 6. If feasible, isolate the administrative interface from general network access and enforce multi-factor authentication to increase the difficulty of obtaining high privileges. 7. Regularly review and update security policies to ensure rapid response to emerging threats given the vendor’s lack of patching. 8. Consider alternative software solutions if patching or mitigation is not viable in the medium term.