Cybersecurity Vulnerabilities

CVE-2025-13469: Low-Severity XSS Flaw Found in PKP OMP/OJS Payment Instructions

November 20, 2025 - By 

Overview

CVE-2025-13469 describes a Cross-Site Scripting (XSS) vulnerability identified in Public Knowledge Project (PKP) Open Monograph Press (OMP) and Open Journal Systems (OJS) versions 3.3.0, 3.4.0, and 3.5.0. This vulnerability allows a remote attacker to inject arbitrary web scripts or HTML into a user’s browser. The vulnerability resides within the Payment Instructions Setting Handler of the manual payment plugin.

Technical Details

The vulnerability exists in the plugins/paymethod/manual/templates/paymentForm.tpl file. The manualInstructions argument is not properly sanitized, allowing an attacker to inject malicious JavaScript code. When a user views the payment form, the injected script will be executed in their browser context. Successful exploitation requires the attacker to influence the value of manualInstructions, which might involve exploiting other vulnerabilities or manipulating configuration settings.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13469 is 2.4. This indicates a LOW severity vulnerability.

  • Attack Vector: Network (AV:N)
  • Attack Complexity: High (AC:H)
  • Privileges Required: None (PR:N)
  • User Interaction: Required (UI:R)
  • Scope: Unchanged (S:U)
  • Confidentiality Impact: Low (C:L)
  • Integrity Impact: Low (I:L)
  • Availability Impact: None (A:N)

Possible Impact

While the CVSS score is low, the exploitation of this XSS vulnerability could have the following potential impacts:

  • Session Hijacking: An attacker could potentially steal user session cookies, allowing them to impersonate the user.
  • Defacement: The attacker could modify the appearance of the payment form, potentially leading to confusion or distrust.
  • Redirection: The attacker could redirect users to malicious websites.
  • Data Theft: The attacker might be able to collect sensitive information entered on the payment form.

Mitigation and Patch Steps

The recommended mitigation step is to upgrade your OMP or OJS installation to a version that includes a fix for this vulnerability. Check the Public Knowledge Project website for the latest versions and security advisories.

Specifically, ensure you are running a version of OMP/OJS that incorporates the fix addressed in the referenced GitHub issues. Applying security patches provided by PKP is crucial.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *