CVE-2025-47289 is a medium severity vulnerability affecting CE PhoenixCart, an open-source eCommerce platform. The vulnerability exists in versions 1.0.9.9 through 1.1.0.2 and involves a stored cross-site scripting (XSS) flaw in the testimonial description field. An attacker can inject malicious JavaScript code into this field. When the shop owner (admin) approves the testimonial, the malicious script executes in the context of any user who visits the testimonial page. This XSS attack is particularly dangerous because the session cookies used by the platform are not marked with the HttpOnly flag, which normally prevents client-side scripts from accessing cookie data. As a result, the attacker can exfiltrate session cookies, potentially leading to account takeover of users, including administrators. The vulnerability requires that the attacker submit a testimonial and that the admin approves it, which involves some level of privilege and user interaction. The CVSS 3.1 score is 6.3 (medium), reflecting network attack vector, low attack complexity, low privileges required, user interaction needed, and high confidentiality impact but low integrity and no availability impact. The issue is fixed in version 1.1.0.3 of PhoenixCart. No known exploits are reported in the wild yet.

For European organizations using CE PhoenixCart, this vulnerability poses a significant risk to the confidentiality of user sessions and potentially administrative accounts. Successful exploitation could allow attackers to hijack user sessions, leading to unauthorized access to customer data, order information, and administrative controls. This could result in data breaches, fraud, and loss of customer trust. Since eCommerce platforms handle sensitive payment and personal data, the impact on GDPR compliance and potential regulatory penalties is considerable. The requirement for admin approval of testimonials somewhat limits the attack surface but does not eliminate risk, especially if the admin is tricked or negligent. The lack of HttpOnly flag on cookies exacerbates the risk by allowing cookie theft via XSS. European organizations relying on this platform for online sales must consider the reputational and financial damage from such an attack.

1. Immediate upgrade to CE PhoenixCart version 1.1.0.3 or later, which patches the vulnerability. 2. Implement strict input validation and sanitization on all user-submitted content, especially testimonial fields, to prevent injection of malicious scripts. 3. Configure session cookies with the HttpOnly and Secure flags to prevent client-side access and ensure cookies are only sent over HTTPS. 4. Educate administrators to carefully review and verify testimonials before approval to reduce risk of malicious content being published. 5. Employ Content Security Policy (CSP) headers to restrict execution of unauthorized scripts on the site. 6. Monitor logs for suspicious testimonial submissions and unusual admin approval activity. 7. Conduct regular security audits and penetration testing focusing on XSS and session management controls. 8. Consider implementing multi-factor authentication for admin accounts to reduce risk of account takeover.