CVE-2025-15452 is a cross-site scripting (XSS) vulnerability identified in the xnx3 wangmarket product, affecting all versions up to 4.9. The vulnerability resides in the Backend Variable Search component, specifically in the variableList function located at /admin/system/variableList.do. The issue arises from improper sanitization or validation of the Description parameter, which an attacker can manipulate to inject malicious JavaScript code. When an authenticated administrator accesses the affected page, the injected script executes in their browser context. This can lead to session hijacking, credential theft, or unauthorized actions performed with the administrator’s privileges. The vulnerability is remotely exploitable without requiring prior authentication, but it does require user interaction—namely, the administrator must visit a crafted URL or page containing the malicious payload. The vendor was notified early but has not issued any patches or advisories, and while an exploit is publicly available, there are no confirmed reports of exploitation in the wild. The CVSS v4.0 score is 4.8 (medium severity), reflecting the moderate impact and the need for user interaction. The vulnerability does not affect confidentiality or availability directly but poses a risk to integrity and administrative control over the system.

For European organizations using xnx3 wangmarket versions 4.0 to 4.9, this vulnerability presents a risk of administrative account compromise through XSS attacks. Successful exploitation could allow attackers to hijack administrator sessions, manipulate backend configurations, or perform unauthorized actions, potentially leading to data integrity issues or further compromise of internal systems. Since the vulnerability requires user interaction and administrative access, the impact is somewhat limited but still significant in environments where administrative interfaces are accessible remotely or insufficiently protected. The lack of vendor response and patches increases the risk exposure duration. Organizations in sectors with high regulatory requirements for data protection and system integrity, such as finance, healthcare, and government, may face compliance risks if exploited. Additionally, the presence of a public exploit increases the likelihood of opportunistic attacks, especially in environments with weak internal network segmentation or insufficient web application security controls.

European organizations should immediately audit their use of xnx3 wangmarket and identify any instances running vulnerable versions (4.0 through 4.9). Since no official patches are available, mitigation should focus on compensating controls: 1) Restrict access to the /admin/system/variableList.do endpoint to trusted IP addresses or VPN-only access to reduce exposure. 2) Implement strict Content Security Policy (CSP) headers to limit the execution of injected scripts. 3) Employ web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the Description parameter. 4) Educate administrators to avoid clicking untrusted links or visiting suspicious URLs while logged into the administrative interface. 5) Monitor logs for unusual access patterns or attempts to exploit the Description parameter. 6) Consider deploying runtime application self-protection (RASP) tools to detect and prevent XSS attacks in real-time. 7) Plan for an upgrade or migration to a patched or alternative solution as soon as a vendor fix or community patch becomes available. 8) Isolate administrative interfaces from general user networks and enforce multi-factor authentication to reduce the impact of session hijacking.