CVE-2025-15144 is a cross-site scripting vulnerability identified in dayrui XunRuiCMS, specifically in versions 4.7.0 and 4.7.1. The vulnerability resides in the JSONP callback handler implemented in the dr_show_error and dr_exit_msg functions within the /dayrui/Fcms/Init.php file. These functions improperly sanitize or validate the 'callback' parameter, which is used to generate JSONP responses. An attacker can craft a malicious URL with a manipulated 'callback' argument that injects arbitrary JavaScript code. When a victim accesses this URL, the injected script executes in their browser context, potentially allowing session hijacking, credential theft, or other malicious activities. The vulnerability is remotely exploitable without requiring authentication, but it does require user interaction to trigger the payload. The vendor was notified early but has not issued a patch or response, and public exploit code is available, increasing the risk of exploitation. The CVSS 4.0 base score is 5.3 (medium severity), reflecting the ease of remote exploitation and the impact on confidentiality and integrity, though availability is not affected. No known exploits in the wild have been reported yet, but the availability of public exploits necessitates proactive defense.

The primary impact of this vulnerability is the potential compromise of user confidentiality and integrity through the execution of arbitrary scripts in the context of the affected website. Attackers can steal session cookies, perform actions on behalf of authenticated users, or redirect victims to malicious sites. This can lead to account takeover, data leakage, and reputational damage for organizations using XunRuiCMS. Since the vulnerability is remotely exploitable without authentication, any publicly accessible installation of the affected CMS versions is at risk. The lack of vendor response and patches increases the window of exposure. Organizations relying on XunRuiCMS for content management, especially those with sensitive user data or critical web services, face increased risk of targeted attacks or widespread exploitation if the vulnerability is weaponized. The impact is primarily on web application security and user trust.

Until an official patch is released, organizations should implement the following mitigations: 1) Apply strict input validation and sanitization on the 'callback' parameter at the web application or web server level, blocking or filtering suspicious characters or patterns commonly used in XSS payloads. 2) Employ a Web Application Firewall (WAF) with rules specifically designed to detect and block malicious JSONP callback manipulations. 3) Disable JSONP functionality if it is not required by the application to eliminate the attack surface. 4) Educate users and administrators about the risks of clicking untrusted links and encourage the use of security-conscious browsing practices. 5) Monitor web server logs for unusual requests containing suspicious 'callback' parameters to detect potential exploitation attempts. 6) Plan for an upgrade or migration to a patched or alternative CMS solution once available. 7) Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers, mitigating the impact of successful XSS attacks.