CVE-2025-15452 identifies a cross-site scripting vulnerability in the xnx3 wangmarket product, affecting all versions from 4.0 through 4.9. The flaw exists in the Backend Variable Search component, specifically in the variableList function within the /admin/system/variableList.do endpoint. The vulnerability is triggered by manipulation of the Description parameter, which is not properly sanitized or encoded before being reflected in the web interface. This allows an attacker to inject arbitrary JavaScript code that executes in the context of an authenticated administrator's browser session. The attack vector is remote and requires the attacker to have high privileges (likely authenticated admin access) and user interaction to trigger the malicious payload. The CVSS 4.0 base score is 4.8, reflecting a medium severity due to limited impact on confidentiality and availability, and the requirement for user interaction and privileges. The vendor was notified early but has not issued a patch or response, increasing the risk for organizations relying on this software. No public exploits are currently known, but proof-of-concept code has been disclosed, which could facilitate future attacks.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary scripts within the context of an authenticated administrator's session. This can lead to session hijacking, unauthorized actions within the admin panel, or theft of sensitive information accessible to the administrator. While the vulnerability does not directly compromise system integrity or availability, it undermines the trustworthiness of the administrative interface and could be leveraged as a stepping stone for further attacks. Organizations using affected versions of xnx3 wangmarket risk exposure to targeted attacks, especially if attackers gain or already possess administrative credentials. The lack of vendor response and patch availability increases the window of exposure. Given the administrative nature of the affected component, the impact is more severe in environments where the backend interface is exposed or accessible to multiple users.

Organizations should immediately restrict access to the /admin/system/variableList.do endpoint to trusted administrators only, ideally via network segmentation or VPN. Implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting the Description parameter. Administrators should avoid clicking on untrusted links or inputs that could trigger the XSS payload. Since no official patch is available, consider applying manual input sanitization or output encoding at the application level if source code access is possible. Monitor logs for unusual activity related to the variableList function and conduct regular security assessments of the admin interface. Engage with the vendor for updates and consider migrating to alternative solutions if the vendor remains unresponsive. Finally, educate administrators about the risks of XSS and safe browsing practices within the admin panel.