CVE-2025-5628 is a cross-site scripting (XSS) vulnerability identified in SourceCodester Food Menu Manager version 1.0. The vulnerability exists in the /index.php file within the Add Menu Handler component, specifically through the manipulation of the 'name' and 'description' parameters. An attacker can craft malicious input for these parameters, which is then improperly sanitized or escaped before being rendered in the web application, allowing the injection and execution of arbitrary JavaScript code in the context of the victim's browser. This vulnerability is remotely exploitable without requiring authentication, although it requires some user interaction (e.g., a victim clicking a malicious link or viewing a crafted page). The CVSS 4.0 base score is 5.1, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges required. The impact primarily affects confidentiality and integrity at a low level, as the vulnerability allows script execution that could lead to session hijacking, defacement, or redirection to malicious sites. Availability is not impacted. No known exploits are currently reported in the wild, and no official patches or mitigations have been published at the time of disclosure. The vulnerability affects only version 1.0 of the Food Menu Manager product by SourceCodester, a web-based application likely used by small to medium-sized food service businesses to manage menus online. Given the nature of XSS, the threat can be leveraged to target users of the application rather than the server infrastructure directly, but successful exploitation can lead to broader attacks such as credential theft or malware distribution.

For European organizations using SourceCodester Food Menu Manager 1.0, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of user sessions. Exploitation could allow attackers to execute malicious scripts in the browsers of legitimate users, potentially leading to session hijacking, unauthorized actions on behalf of users, or phishing attacks. This can damage the reputation of the affected organizations, lead to data leakage, and cause regulatory compliance issues under GDPR if personal data is compromised. Since the product is likely used by small and medium enterprises in the food service sector, the impact could disrupt customer trust and business operations. However, the vulnerability does not directly compromise server availability or allow remote code execution on the server, limiting the scope of damage. The lack of known exploits in the wild reduces immediate risk, but public disclosure increases the likelihood of future exploitation attempts. European organizations should be aware that attackers could target their customers or employees through this vector, especially if the application is publicly accessible.

1. Immediate mitigation should include implementing strict input validation and output encoding on the 'name' and 'description' parameters within the Add Menu Handler component to neutralize malicious scripts. 2. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. 3. If possible, disable or restrict the functionality that allows users to add or modify menu items until a patch is available. 4. Monitor web server logs and application logs for suspicious input patterns or repeated attempts to exploit the XSS vectors. 5. Educate users about the risks of clicking on suspicious links and encourage the use of updated browsers with built-in XSS protections. 6. Engage with the vendor or community to obtain or develop a security patch addressing the vulnerability. 7. Consider deploying Web Application Firewalls (WAF) with rules to detect and block common XSS payloads targeting the affected parameters. 8. Regularly review and update security policies to include testing for XSS vulnerabilities in web applications, especially those handling user-generated content.