CVE-2025-12518 identifies a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 in the Bee Content Design Befree SDK, specifically within the Social Media icon URL parameter of its email builder feature. This vulnerability allows an attacker to inject arbitrary HTML and JavaScript code into email templates. When a user accesses the preview page of the crafted template, the malicious code executes in the context of the application, potentially leading to session hijacking, credential theft, or other malicious actions. The vulnerability arises due to improper neutralization of input during web page generation, where user-supplied URL parameters are not adequately sanitized or encoded before rendering. Although the SDK enforces a Content Security Policy (CSP) that restricts some script execution, it does not fully prevent all XSS payloads from executing. The issue affects all versions prior to 3.47.0, which includes the initial release and subsequent updates until the patch. The vulnerability does not require authentication or privileges to exploit but does require the victim to interact with the preview page to trigger the payload. The CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N) reflects network attack vector, low attack complexity, no privileges or authentication required, user interaction needed, and limited scope and impact confined to integrity and confidentiality. No known exploits have been reported in the wild as of the publication date. This vulnerability is significant for organizations leveraging the Befree SDK in their email marketing or content creation workflows, as it could be leveraged to compromise internal users or clients viewing preview content.

The primary impact of CVE-2025-12518 is the potential execution of malicious scripts within the context of the Befree SDK preview environment. This can lead to unauthorized actions such as theft of session tokens, defacement of email templates, or redirection to malicious sites. For organizations, this could result in compromised internal systems if employees preview malicious templates, or damage to brand reputation if malicious content is inadvertently distributed. Since the vulnerability is stored XSS, the malicious payload persists in templates, increasing the risk of repeated exploitation. The limited scope of the CSP reduces but does not eliminate risk, meaning some attack vectors remain viable. The medium CVSS score reflects moderate impact, but the ease of exploitation (no authentication required) and the widespread use of the SDK in email marketing platforms elevate the threat. Organizations relying on the Befree SDK for email content creation and previewing are at risk of internal compromise and should consider the potential for lateral movement or data leakage if exploited.

Organizations should immediately update the Bee Content Design Befree SDK to version 3.47.0 or later, where this vulnerability is patched. Until the update is applied, restrict access to the email template preview functionality to trusted users only and monitor for unusual activity related to template creation or previewing. Implement additional input validation and output encoding on URL parameters, especially those controlling social media icon URLs, to prevent injection of malicious scripts. Review and strengthen the Content Security Policy to further restrict script execution, including disallowing inline scripts and limiting allowed sources. Conduct security training for developers and content creators to recognize and avoid injecting untrusted input into templates. Employ runtime application self-protection (RASP) or web application firewalls (WAF) with custom rules to detect and block suspicious payloads targeting the preview page. Finally, audit existing email templates for suspicious or unauthorized code injections and remove any malicious content.