CVE-2025-8750 is a cross-site scripting (XSS) vulnerability identified in the macrozheng mall application, specifically affecting versions 1.0.0 through 1.0.3. The vulnerability resides in the Upload function of the /minio/upload endpoint within the Add Product Page component. The issue arises from improper sanitization or validation of the 'File' argument, which an attacker can manipulate to inject malicious scripts. This vulnerability can be exploited remotely without requiring authentication, although user interaction is necessary to trigger the malicious payload. The disclosed exploit allows attackers to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, credential theft, or unauthorized actions on behalf of the user. The vendor has not responded to the disclosure, and no official patches are currently available. The CVSS 4.0 base score is 4.8, indicating a medium severity level, reflecting the moderate impact and ease of exploitation with some limitations such as required user interaction and limited integrity impact.

For European organizations using macrozheng mall versions up to 1.0.3, this XSS vulnerability poses risks primarily to the confidentiality and integrity of user sessions and data. Attackers could exploit this flaw to steal session cookies, perform actions on behalf of authenticated users, or deliver further malware payloads through the victim's browser. This could lead to unauthorized access to sensitive business information, disruption of e-commerce operations, and damage to customer trust. Given that the vulnerability affects the product upload functionality, attackers might also manipulate product listings or inject malicious content visible to end customers, potentially harming brand reputation. The lack of vendor response and patches increases exposure time, raising the risk of exploitation. European organizations with customer-facing e-commerce platforms are particularly vulnerable to reputational damage and regulatory scrutiny under GDPR if customer data is compromised.

Since no official patches are available, European organizations should implement immediate compensating controls. These include deploying web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the /minio/upload endpoint and the 'File' parameter. Input validation and output encoding should be enforced at the application level to sanitize user inputs, especially file upload parameters. Organizations should conduct thorough code reviews and consider temporary disabling or restricting the vulnerable upload functionality if feasible. Monitoring web logs for unusual activity related to the upload endpoint can help detect exploitation attempts early. Additionally, educating users about the risks of clicking on suspicious links and ensuring browsers are up to date can reduce the impact of XSS attacks. Finally, organizations should engage with the vendor or consider migrating to alternative platforms with active security support.