CVE-2025-15144 is a cross-site scripting vulnerability identified in dayrui XunRuiCMS up to version 4.7.1. The vulnerability exists in the JSONP callback handler implemented in the dr_show_error/dr_exit_msg function located in /dayrui/Fcms/Init.php. Specifically, the 'callback' parameter is not properly sanitized or validated, allowing an attacker to inject arbitrary JavaScript code. This vulnerability can be exploited remotely without any authentication or privileges, requiring only that a victim user interacts with a crafted URL containing malicious callback arguments. The attack vector leverages JSONP, a technique used to circumvent same-origin policies by wrapping JSON responses in a callback function. Because the callback parameter is directly reflected in the response without proper encoding, it enables persistent or reflected XSS attacks. The vendor was contacted early but did not respond, and no official patches or mitigations have been released. The CVSS 4.0 score is 5.3 (medium), reflecting the ease of exploitation (network vector, no privileges, no user interaction required for the attacker, but victim user interaction needed) and limited impact on confidentiality and integrity but potential impact on user session hijacking or phishing. Although no known exploits in the wild have been reported, a public exploit is available, increasing the risk of exploitation. This vulnerability primarily threatens web applications running XunRuiCMS versions 4.7.0 and 4.7.1, which may be used by organizations for content management and web presence.

For European organizations, this vulnerability poses a risk of client-side attacks such as session hijacking, credential theft, or distribution of malware via malicious scripts injected through the vulnerable JSONP callback parameter. Organizations relying on XunRuiCMS for their websites or intranet portals could see compromised user accounts or reputational damage if attackers exploit this flaw. The lack of vendor response and absence of patches increases exposure time. Attackers could target employees or customers through phishing campaigns leveraging the XSS vulnerability. While the vulnerability does not directly compromise server confidentiality or availability, the indirect effects on user trust and potential lateral movement through stolen credentials could be significant. Organizations in sectors with high web presence or sensitive data, such as finance, government, and e-commerce, are particularly at risk. The medium severity rating suggests that while the impact is not catastrophic, the ease of exploitation and public exploit availability warrant prompt attention.

Since no official patch is available, European organizations should take immediate compensating controls. First, disable or restrict the use of JSONP callbacks in the CMS configuration if possible, or remove the vulnerable dr_show_error/dr_exit_msg function usage. Implement strict input validation on the 'callback' parameter to allow only safe characters or whitelist known callback function names. Apply output encoding or sanitization to ensure that any reflected input is properly escaped in the response. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious callback parameter values indicative of XSS payloads. Conduct regular security audits and penetration testing focusing on this vulnerability. Educate users about phishing risks and monitor web logs for anomalous requests targeting the vulnerable endpoint. Consider migrating to alternative CMS platforms or updated versions once patches become available. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential exploitation.