CVE-2025-28976 is a medium severity vulnerability classified under CWE-79, which pertains to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This specific vulnerability affects the product 'Email Address Security by WebEmailProtector' developed by dsrodzin, in versions up to and including 3.3.6. The vulnerability allows for Stored XSS attacks, meaning that malicious input submitted by an attacker is stored by the application and later rendered in web pages without proper sanitization or encoding. This can lead to the execution of arbitrary JavaScript code in the context of users who view the affected pages. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), but requires some level of privileges (PR:L) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality, integrity, and availability is low to medium (C:L/I:L/A:L). No known exploits are currently reported in the wild, and no patches are linked yet. The vulnerability was reserved in March 2025 and published in July 2025. Stored XSS vulnerabilities can be exploited to steal user credentials, perform actions on behalf of users, or deliver malware, especially in webmail or email security contexts where sensitive information is handled.

For European organizations, this vulnerability poses a significant risk especially to those using the affected Email Address Security by WebEmailProtector product. Since this product is designed to protect email addresses, exploitation of this Stored XSS could lead to unauthorized access to sensitive email data, phishing attacks, session hijacking, or spreading malware within corporate networks. The impact is heightened in sectors with strict data protection regulations such as GDPR, where leakage of personal data or unauthorized actions could result in regulatory penalties and reputational damage. Organizations relying on this product for email security may face compromised confidentiality and integrity of communications. Additionally, the changed scope (S:C) suggests that exploitation could affect multiple components or users beyond the initially targeted system, increasing the potential damage. The requirement for some privileges and user interaction means that attackers might need to compromise a user account or trick users into clicking malicious links, but once successful, the attack could propagate within the organization’s environment.

1. Immediate mitigation should include disabling or restricting the vulnerable functionality in Email Address Security by WebEmailProtector until a patch is available. 2. Implement strict input validation and output encoding on all user-supplied data, especially in areas where email addresses are processed or displayed. 3. Employ Content Security Policy (CSP) headers to reduce the impact of XSS by restricting the execution of unauthorized scripts. 4. Conduct thorough security reviews and penetration testing focusing on stored XSS vectors in the affected product. 5. Educate users about the risks of clicking on suspicious links or interacting with unexpected email content to reduce the likelihood of user interaction exploitation. 6. Monitor logs and network traffic for unusual activities that could indicate exploitation attempts. 7. Once available, promptly apply vendor patches or updates addressing this vulnerability. 8. Consider deploying web application firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting this product.