CVE-2025-3975 is an information disclosure vulnerability identified in version 3.0 of the ScriptAndTools eCommerce-website-in-PHP product. The vulnerability specifically involves improper handling within the /admin/subscriber-csv.php file, which is part of the administrative backend functionality. This flaw allows an unauthenticated remote attacker to manipulate requests to this PHP script, resulting in unauthorized disclosure of sensitive information. The vulnerability does not require any authentication or user interaction, and the attack vector is network-based, making exploitation feasible remotely with low complexity. The disclosed information could include subscriber data or other sensitive administrative information processed or stored by the vulnerable script. The CVSS 4.0 base score is 6.9, categorizing the severity as medium. The vulnerability does not impact integrity or availability but compromises confidentiality to a limited extent. No patches or official remediation links have been published at the time of disclosure, and there are no known exploits actively used in the wild, although public disclosure of the exploit code exists, increasing the risk of exploitation attempts.

For European organizations using ScriptAndTools eCommerce-website-in-PHP version 3.0, this vulnerability poses a moderate risk primarily to the confidentiality of subscriber or customer data managed through the administrative interface. Information disclosure could lead to privacy violations, regulatory non-compliance (e.g., GDPR), and potential reputational damage. Since the vulnerability is remotely exploitable without authentication, attackers could leverage it to gather sensitive business or customer information, which might be used for further targeted attacks such as phishing or social engineering. The impact is particularly significant for eCommerce businesses handling personal data of EU citizens, as unauthorized data exposure could trigger legal penalties under European data protection laws. However, the vulnerability does not directly affect system integrity or availability, so operational disruption is unlikely. The absence of known active exploitation reduces immediate risk but does not eliminate the threat, especially given the public availability of exploit details.

1. Immediate mitigation should involve restricting access to the /admin/subscriber-csv.php script by implementing network-level controls such as IP whitelisting or VPN-only access to the administrative interface. 2. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting this script. 3. Conduct a thorough code review of the /admin/subscriber-csv.php file to identify and fix improper input validation or output encoding issues that lead to information leakage. 4. If possible, disable or remove the subscriber CSV export functionality until a vendor patch is available. 5. Monitor web server logs for unusual access patterns or repeated requests to the vulnerable script indicative of exploitation attempts. 6. Engage with the vendor or community to obtain or develop patches addressing the vulnerability. 7. Ensure that all sensitive data stored or processed by the eCommerce platform is encrypted at rest and in transit to minimize the impact of any potential disclosure. 8. Implement strict role-based access controls (RBAC) and multi-factor authentication (MFA) for administrative accounts to reduce the attack surface.