CVE-2025-62956 is a critical security vulnerability identified in the iseremet Reloadly reloadly-topup-widget, a component used for mobile top-up and payment services. The vulnerability is a Cross-Site Request Forgery (CSRF) flaw that also facilitates Stored Cross-Site Scripting (XSS) attacks. CSRF allows attackers to trick authenticated users into unknowingly executing unwanted actions on the Reloadly platform by leveraging the user's active session. The Stored XSS component means that malicious scripts can be permanently injected into the application, affecting all users who access the compromised content. This dual vulnerability severely compromises the confidentiality, integrity, and availability of the system. The CVSS 3.1 base score of 8.8 reflects the high impact and ease of exploitation: the attack vector is network-based (remote), requires no privileges or authentication, but does require user interaction (e.g., clicking a malicious link). The affected versions include all releases up to 2.0.1, with no patches currently available. The vulnerability could lead to session hijacking, unauthorized transactions, data leakage, and potential service disruption. Given Reloadly's role in financial transactions, exploitation could have significant financial and reputational consequences.

For European organizations, especially those in fintech, telecommunications, and digital payment sectors using Reloadly, this vulnerability poses a substantial risk. Attackers could exploit CSRF to perform unauthorized top-ups or financial transactions, leading to direct financial loss. Stored XSS could enable attackers to steal user credentials, session cookies, or inject malware, compromising user data and privacy. The combined effect threatens regulatory compliance with GDPR due to potential data breaches. Service disruption could affect customer trust and operational continuity. The vulnerability's network-based nature means attacks can originate remotely, increasing exposure. Organizations relying on Reloadly for customer-facing services may face reputational damage and legal consequences if exploited.

Organizations should immediately audit their use of the Reloadly widget and restrict its deployment until a vendor patch is released. Implementing anti-CSRF tokens in all state-changing requests is critical to prevent unauthorized actions. Input validation and output encoding should be enforced to mitigate Stored XSS risks. Employ Content Security Policy (CSP) headers to reduce the impact of injected scripts. Monitor web traffic and logs for unusual activity indicative of CSRF or XSS exploitation attempts. Educate users about phishing and suspicious links to reduce the risk of user interaction-based attacks. Where possible, isolate the widget in sandboxed iframes to limit script execution scope. Engage with the vendor for timely patching and updates. Consider deploying Web Application Firewalls (WAFs) with rules targeting CSRF and XSS attack patterns as an interim defense.