Platform
php
Component
pkp-lib
Fixed in
3.3.1
3.4.1
3.5.1
3.3.1
3.4.1
3.5.1
A cross-site scripting (XSS) vulnerability has been identified in Public Knowledge Project Open Monograph Publisher (OMP) versions 3.3.0 through 3.5.0. This vulnerability affects the Payment Instructions Setting Handler component and allows an attacker to inject malicious scripts via manipulation of the manualInstructions argument. Successful exploitation could lead to session hijacking or defacement of the OMP website. The vulnerability is fixed in version 3.5.1.
The XSS vulnerability in OMP allows an attacker to inject arbitrary JavaScript code into the web page viewed by other users. This can be exploited to steal user credentials, redirect users to malicious websites, or deface the website. The impact is particularly severe if the OMP instance is used to manage sensitive data or handle financial transactions. An attacker could potentially gain unauthorized access to user accounts and perform actions on their behalf. While the CVSS score is LOW, the potential for user data compromise and website manipulation warrants immediate attention.
This vulnerability was publicly disclosed on 2025-11-20. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation suggests that it could become a target for automated attacks. The vulnerability is not currently listed on CISA KEV. The LOW CVSS score reflects the limited impact and difficulty of exploitation, but proactive mitigation is still recommended.
Exploit Status
EPSS
0.06% (19% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-13469 is to upgrade to OMP version 3.5.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the manualInstructions parameter to prevent malicious code from being injected. Web Application Firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Review and update any custom plugins or themes to ensure they do not introduce similar vulnerabilities.
Update Public Knowledge Project omp/ojs to a version later than 3.5.0. This will resolve the cross-site scripting (XSS) vulnerability in the Payment Instructions Setting Handler component. See the release notes for more details about the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-13469 is a cross-site scripting (XSS) vulnerability affecting Public Knowledge Project OMP versions 3.3.0 through 3.5.0, allowing attackers to inject malicious scripts.
You are affected if you are running Public Knowledge Project OMP versions 3.3.0, 3.4.0, or 3.5.0. Upgrade to 3.5.1 or later to resolve the issue.
Upgrade to Public Knowledge Project OMP version 3.5.1 or later. Consider input validation and WAF rules as interim measures.
While no active exploitation has been confirmed, the ease of exploitation suggests it could become a target. Proactive mitigation is recommended.
Refer to the Public Knowledge Project security advisories page for the latest information: [https://security.pkp.org/](https://security.pkp.org/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.