CVE-2025-22793 is a DOM-based Cross-site Scripting (XSS) vulnerability identified in the Bold pagos en linea web application, a payment processing platform. The vulnerability stems from improper neutralization of user input during web page generation, specifically in the client-side DOM context, which allows attackers to inject and execute arbitrary JavaScript code within the victim's browser. This flaw affects all versions up to and including 3.1.4. Unlike traditional reflected or stored XSS, DOM-based XSS occurs entirely on the client side, making detection and mitigation more challenging. The attacker typically crafts a malicious URL or input that, when processed by the vulnerable application, leads to script execution without server-side sanitization. Exploitation requires the victim to interact with the malicious content, such as clicking a link or visiting a manipulated page. Although no public exploits are reported yet, the vulnerability poses a significant risk because it can be leveraged to steal session cookies, perform actions on behalf of the user, or redirect users to malicious sites. The absence of a CVSS score indicates that the vulnerability is newly published and not yet fully assessed, but the nature of DOM-based XSS and the affected product's role in payment processing elevate its criticality. The vulnerability is currently unpatched, and no official fixes or mitigation guidance have been published by the vendor. Organizations using Bold pagos en linea should monitor for updates and apply security best practices to mitigate the risk.

The primary impact of CVE-2025-22793 is on the confidentiality and integrity of user sessions and data. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser, potentially leading to session hijacking, theft of sensitive information such as payment credentials, and unauthorized transactions. This can undermine user trust and lead to financial losses. Additionally, attackers could use the vulnerability to perform phishing attacks or deliver malware by redirecting users to malicious sites. While availability impact is less direct, widespread exploitation could disrupt service usage or lead to reputational damage for organizations relying on Bold pagos en linea. Given the product's role in online payments, the threat is particularly severe for e-commerce platforms and financial services that depend on it. The lack of authentication requirement lowers the barrier for attackers, increasing the likelihood of exploitation if unmitigated. The scope of affected systems includes all installations of Bold pagos en linea up to version 3.1.4, which may be significant in regions where this product is popular.

To mitigate CVE-2025-22793, organizations should implement strict input validation and output encoding on all user-controllable data that influences DOM content. Specifically, use secure JavaScript APIs that avoid direct insertion of untrusted data into the DOM, such as textContent instead of innerHTML, and employ context-aware encoding libraries. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Monitor for vendor patches or updates addressing this vulnerability and apply them promptly once available. Conduct thorough code reviews and security testing focusing on client-side code handling user input. Educate users to avoid clicking suspicious links and implement web application firewalls (WAFs) with rules targeting XSS patterns as an additional protective layer. Finally, consider isolating payment processing components to minimize the attack surface and potential damage from exploitation.