CVE-2025-7143 is a cross-site scripting (XSS) vulnerability identified in SourceCodester Best Salon Management System version 1.0, specifically within the /panel/edit-tax.php file of the Update Tax Page component. The vulnerability arises due to improper sanitization or validation of the 'Tax Name' parameter, which allows an attacker to inject malicious scripts. This flaw can be exploited remotely without authentication, although the CVSS vector indicates that some privileges are required (PR:H) and user interaction is necessary (UI:P). The vulnerability is classified as medium severity with a CVSS score of 4.8. The exploit enables attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or redirection to malicious sites. Although no known exploits are currently active in the wild, the public disclosure of the exploit code increases the risk of exploitation. The vulnerability does not affect confidentiality or availability directly but impacts integrity and user trust. The lack of available patches or vendor updates at the time of publication further complicates mitigation efforts.

For European organizations using the SourceCodester Best Salon Management System 1.0, this XSS vulnerability poses risks primarily to the integrity of user sessions and the security of administrative interfaces. Attackers could leverage this vulnerability to hijack sessions of salon management staff, manipulate tax-related data, or inject malicious content that could mislead users or steal credentials. Given that the affected component manages tax information, any manipulation could have financial and regulatory repercussions. Additionally, compromised systems could be used as a foothold for further attacks within the organization’s network. The impact is particularly significant for small to medium enterprises in the salon and beauty industry that rely on this software for daily operations. The reputational damage from a successful attack could also affect customer trust and compliance with data protection regulations such as GDPR.

Organizations should immediately review and restrict access to the /panel/edit-tax.php page to trusted personnel only, ideally limiting it via network segmentation or VPN access. Input validation and output encoding should be implemented on the 'Tax Name' parameter to neutralize malicious scripts. Since no official patch is available, applying web application firewalls (WAF) with custom rules to detect and block suspicious input patterns targeting this parameter is recommended. Regularly monitoring logs for unusual activity related to tax updates can help detect exploitation attempts early. Additionally, educating staff about the risks of XSS and encouraging cautious behavior when interacting with web interfaces can reduce the likelihood of successful attacks. Organizations should also consider migrating to updated or alternative salon management solutions that have addressed this vulnerability.