CVE-2025-32680 identifies a Stored Cross-site Scripting (XSS) vulnerability in the Review Stream product by Grade Us, Inc., affecting all versions up to 1.6.7. Stored XSS occurs when malicious input is improperly sanitized and then permanently stored by the application, later served to users without adequate encoding or filtering. In this case, the vulnerability stems from improper neutralization of input during web page generation, allowing attackers to inject malicious JavaScript code into review content or other input fields. When other users or administrators view the affected pages, the malicious scripts execute in their browsers within the context of the vulnerable site. This can lead to theft of session cookies, user impersonation, redirection to malicious sites, or execution of unauthorized actions. The vulnerability does not require authentication or user interaction beyond visiting the compromised page, increasing its risk profile. Although no public exploits have been reported yet, the nature of stored XSS makes it a persistent threat that can be weaponized for phishing, spreading malware, or gaining unauthorized access. The lack of a CVSS score indicates the need for manual severity assessment, which here is high given the broad impact on confidentiality, integrity, and availability of user sessions and data. The vulnerability affects a widely used customer review aggregation tool, which is often integrated into business websites and marketing platforms, amplifying potential exposure.

The impact of CVE-2025-32680 is significant for organizations using the Review Stream product, especially those relying on it to collect and display customer reviews on their websites. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users or administrators, potentially leading to unauthorized data access or modification. It can also facilitate phishing attacks by injecting deceptive content or redirecting users to malicious sites. The persistent nature of stored XSS means that once injected, malicious scripts remain active until removed, increasing the window of exposure. This can damage organizational reputation, erode customer trust, and lead to regulatory compliance issues if sensitive user data is compromised. Additionally, attackers might leverage this vulnerability to distribute malware or conduct further attacks within the victim’s network. Given that Review Stream is integrated into many business websites globally, the scope of impact can be extensive, affecting both small businesses and large enterprises that depend on customer feedback mechanisms.

To mitigate CVE-2025-32680, organizations should immediately update Review Stream to a version beyond 1.6.7 once a patch is released by Grade Us, Inc. In the absence of an official patch, implement strict input validation and output encoding on all user-supplied data, especially review content, to neutralize potentially malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any injected code. Regularly audit and sanitize stored data to identify and remove any malicious payloads already present. Additionally, enable HTTP-only and secure flags on cookies to protect session tokens from theft via XSS. Educate administrators and users about the risks of clicking suspicious links or interacting with untrusted content. Monitor web application logs for unusual activity that might indicate exploitation attempts. Finally, consider deploying web application firewalls (WAFs) with rules tailored to detect and block XSS attacks targeting Review Stream endpoints.