Cyber Posture

CVE-2025-13002

High

Published: 12 February 2026

Published
12 February 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.0001 2.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13002 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Farktor E-Commerce Package. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match
prevent

Directly addresses improper neutralization of input during web page generation by filtering output to prevent XSS script injection.

SI-10 Information Input Validation good match
prevent

Validates user inputs to block malicious payloads that could lead to XSS in the E-Commerce Package.

SI-2 Flaw Remediation good match
prevent

Remediates the specific XSS flaw in E-Commerce Package versions through 27112025 by applying timely patches and updates.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
attack.mitre.org →
Why these techniques?

XSS in public-facing web app directly enables exploitation of the application (T1190) and can turn the site into a vector for drive-by compromise of visitors (T1189).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Farktor Software E-Commerce Services Inc. E-Commerce Package allows Cross-Site Scripting (XSS).This issue affects E-Commerce Package: through 27112025.

Deeper analysisAI

CVE-2025-13002 is an Improper Neutralization of Input During Web Page Generation vulnerability that enables Cross-Site Scripting (XSS), mapped to CWE-79. It affects the E-Commerce Package developed by Farktor Software E-Commerce Services Inc., with the issue present in versions through 27112025.

The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H), indicating it can be exploited remotely over the network with low attack complexity, no required privileges, and no user interaction. Attackers can achieve low integrity impact alongside high availability impact in an unchanged scope.

Mitigation guidance is available in the advisory from USOM at https://www.usom.gov.tr/bildirim/tr-26-0063.

Details

CWE(s)
CWE-79

Affected Products

farktor
e-commerce package
≤ 2025-11-27

CVEs Like This One

CVE-2025-10969Same product: Farktor E-Commerce Package
CVE-2026-26276Shared CWE-79
CVE-2025-68838Shared CWE-79
CVE-2024-56028Shared CWE-79
CVE-2026-1216Shared CWE-79
CVE-2025-28917Shared CWE-79
CVE-2025-67984Shared CWE-79
CVE-2025-69318Shared CWE-79
CVE-2026-1931Shared CWE-79
CVE-2025-23994Shared CWE-79

References