CVE-2025-27802 is a stored Cross-Site Scripting (XSS) vulnerability identified in Optimizely's Episerver Content Management System (CMS) versions 11.x (prior to 11.21.4 and 11.37.5 for CMS.Core and CMS.UI respectively) and 12.x (prior to 12.22.1 and 11.37.3). The vulnerability arises from improper neutralization of input during web page generation, specifically within Rich Text Editor (RTE) properties used in the CMS's 'Edit' section. Authenticated users with the 'WebEditor' role can input arbitrary text containing malicious JavaScript code into these RTE fields. When other users preview the affected pages, the injected script executes in their browsers, enabling attackers to perform actions such as session hijacking, credential theft, or unauthorized actions within the CMS context. The vulnerability requires authentication with elevated privileges but does not require additional user interaction beyond visiting the previewed page. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond the WebEditor role, and partial impact on confidentiality, integrity, and availability. No public exploits are currently known, but the vulnerability's presence in widely used CMS versions makes it a significant concern for organizations relying on Episerver CMS for content management and web presence.

For European organizations, this vulnerability can lead to unauthorized execution of malicious scripts within the browsers of CMS users, potentially compromising sensitive session tokens, user credentials, or enabling unauthorized actions within the CMS environment. This can result in data breaches, defacement of websites, or further lateral movement within the organization's network. Given that the vulnerability requires authenticated access with WebEditor privileges, insider threats or compromised editor accounts pose a significant risk. Organizations in sectors such as media, retail, and government that rely heavily on Episerver CMS for their web content management are particularly at risk. The impact extends to brand reputation damage, regulatory non-compliance (e.g., GDPR if personal data is exposed), and operational disruptions. The medium CVSS score reflects moderate risk but should not lead to complacency, especially in environments with multiple users having editing privileges.

To mitigate this vulnerability, organizations should immediately upgrade to the fixed versions of Episerver CMS: 11.21.4 or later for 11.x series and 12.22.1 or later for 12.x series, along with corresponding CMS.UI updates. If immediate patching is not feasible, implement strict input validation and sanitization on RTE fields to neutralize potentially malicious scripts. Limit the number of users with 'WebEditor' or higher privileges and enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of account compromise. Monitor CMS logs for unusual editing activities and preview page accesses. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct regular security training for CMS users to recognize phishing and social engineering attempts that could lead to credential theft. Finally, perform periodic security assessments and penetration testing focused on CMS components to detect similar vulnerabilities proactively.