CVE-2025-8750 is a cross-site scripting (XSS) vulnerability identified in the macrozheng mall e-commerce platform, specifically affecting versions 1.0.0 through 1.0.3. The vulnerability resides in the 'Upload' function of the '/minio/upload' endpoint within the Add Product Page component. The issue arises due to improper sanitization or validation of the 'File' argument, which an attacker can manipulate to inject malicious scripts. This flaw allows an attacker to execute arbitrary JavaScript code in the context of the victim's browser when they access a compromised page or resource. The vulnerability is remotely exploitable without requiring authentication, although user interaction is needed to trigger the malicious script execution (e.g., by visiting a crafted URL or page). The vendor was notified but did not respond or provide a patch, and while no known exploits are currently observed in the wild, public disclosure of the exploit code increases the risk of exploitation. The CVSS 4.0 base score is 4.8, indicating a medium severity level. The attack vector is network-based with low attack complexity, no privileges required, but user interaction is necessary. The vulnerability impacts confidentiality minimally, with limited integrity and availability impact, primarily enabling client-side attacks such as session hijacking, credential theft, or defacement through script injection.

For European organizations using macrozheng mall versions up to 1.0.3, this XSS vulnerability poses a risk primarily to the confidentiality and integrity of user sessions and data. Attackers could exploit this flaw to steal session cookies, perform phishing attacks, or execute unauthorized actions on behalf of users with elevated privileges, potentially leading to data leakage or unauthorized transactions. Given the e-commerce context, this could result in financial losses, reputational damage, and regulatory compliance issues under GDPR if personal data is compromised. The lack of vendor response and patch availability increases the window of exposure. Organizations relying on this platform for online sales or customer interaction in Europe should be aware that attackers could target their customers or administrators, especially since the vulnerability is remotely exploitable and requires only user interaction. While the direct impact on backend systems is limited, the client-side risks and potential for social engineering attacks elevate the threat level.

Since no official patch is available, European organizations should implement immediate compensating controls. These include: 1) Employing web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting the '/minio/upload' endpoint, especially filtering suspicious input in the 'File' parameter. 2) Enforcing strict Content Security Policy (CSP) headers to restrict script execution sources and mitigate the impact of injected scripts. 3) Conducting input validation and output encoding on the server side if possible, or applying reverse proxies that sanitize inputs before reaching the application. 4) Educating users and administrators about the risk of clicking untrusted links or uploading files from unknown sources. 5) Monitoring logs and network traffic for unusual activity related to the vulnerable endpoint. 6) Planning for an upgrade or migration to a patched or alternative e-commerce platform once available. 7) Isolating the vulnerable component or restricting access to trusted IPs where feasible to reduce exposure.