CVE-2025-64220 is a Stored Cross-Site Scripting (XSS) vulnerability identified in ReyCommerce Rey Core, a component used in e-commerce platforms. The flaw stems from improper neutralization of user-supplied input during web page generation, which allows attackers to inject malicious scripts that are stored and later executed in the context of other users' browsers. This vulnerability affects all versions of Rey Core up to and including 3.1.8. Exploitation requires the attacker to have low privileges within the application and some level of user interaction, such as tricking a user into clicking a crafted link or viewing a malicious page. The CVSS v3.1 score is 6.5 (medium), reflecting the network attack vector, low attack complexity, requirement for privileges and user interaction, and the potential for confidentiality, integrity, and availability impacts. Stored XSS can lead to session hijacking, credential theft, unauthorized actions on behalf of users, and disruption of service. Although no known exploits are currently reported in the wild, the vulnerability represents a significant risk for web applications relying on Rey Core. The lack of available patches at the time of publication necessitates immediate attention to input validation and output encoding practices to mitigate risk.

For European organizations, especially those operating e-commerce platforms using ReyCommerce Rey Core, this vulnerability could lead to unauthorized access to user accounts, theft of sensitive customer data, and potential defacement or disruption of services. The confidentiality impact includes exposure of session tokens and personal data, while integrity could be compromised through unauthorized transactions or data manipulation. Availability might be affected if attackers leverage the vulnerability to perform denial-of-service attacks or disrupt normal operations. Given the prevalence of e-commerce in Europe and the reliance on web applications, exploitation could damage brand reputation, lead to regulatory penalties under GDPR for data breaches, and cause financial losses. The requirement for user interaction means phishing campaigns or social engineering could be used to facilitate attacks, increasing the risk to end users and organizations alike.

European organizations should implement strict input validation and output encoding to neutralize potentially malicious input before rendering it in web pages. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Monitor application logs and user activity for signs of XSS exploitation attempts. Since no official patches are currently available, consider applying virtual patching via Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting Rey Core. Educate users about phishing risks to reduce the likelihood of successful social engineering attacks. Regularly update ReyCommerce components and subscribe to vendor advisories for timely patch releases. Conduct security code reviews and penetration testing focused on input handling and XSS vectors. Finally, implement multi-factor authentication to mitigate the impact of credential theft resulting from XSS attacks.