CVE-2025-13450
📋 TL;DR
This vulnerability allows attackers to inject malicious scripts into the registration page of SourceCodester Online Shop Project 1.0. When users visit the compromised registration page, the scripts execute in their browsers, potentially stealing session cookies or redirecting to malicious sites. Anyone running this specific e-commerce software is affected.
💻 Affected Systems
- SourceCodester Online Shop Project
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal administrator session cookies, gain full control of the e-commerce platform, access customer data including payment information, and deface or take down the entire online store.
Likely Case
Attackers steal user session cookies to hijack accounts, redirect users to phishing sites, or display malicious content that could lead to credential theft or malware installation.
If Mitigated
With proper input validation and output encoding, the XSS payloads are neutralized before reaching users, preventing script execution while maintaining normal registration functionality.
🎯 Exploit Status
The exploit is publicly disclosed and requires minimal technical skill to execute. Attackers can craft malicious registration forms or links containing XSS payloads.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://www.sourcecodester.com/
Restart Required: No
Instructions:
1. Check SourceCodester website for security updates. 2. If patch available, download and replace affected files. 3. Test registration functionality after patching.
🔧 Temporary Workarounds
Input Validation and Sanitization
allAdd server-side validation to the f_name parameter in register.php to reject or sanitize malicious input containing script tags and special characters.
Edit /shop/register.php to add: $f_name = htmlspecialchars($_POST['f_name'], ENT_QUOTES, 'UTF-8');
Web Application Firewall (WAF) Rules
allConfigure WAF to block requests containing XSS payloads targeting the /shop/register.php endpoint and f_name parameter.
Add WAF rule: Block if URI contains '/shop/register.php' AND parameter 'f_name' contains '<script' or 'javascript:'
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution sources
- Disable user registration functionality if not essential for business operations
🔍 How to Verify
Check if Vulnerable:
Test by submitting a payload like <script>alert('XSS')</script> in the f_name field during registration and check if script executes.Check Version:
Check project documentation or source code comments for version informationVerify Fix Applied:
Submit the same XSS payload and verify it's either blocked, sanitized to display as plain text, or triggers a validation error.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /shop/register.php with f_name parameter containing script tags, javascript:, or other XSS patterns
- Unusual registration attempts with long or encoded parameter values
Network Indicators:
- Traffic to /shop/register.php with suspicious payloads in POST data
- Outbound connections from the shop server to unknown domains following registration attempts
SIEM Query:
source="web_logs" AND uri="/shop/register.php" AND (param="f_name" AND value MATCHES "<script|javascript:|onload=|onerror=")