CVE-2025-39365 is a high-severity reflected Cross-Site Scripting (XSS) vulnerability identified in Rocket Apps' wProject software prior to version 5.8.0. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the application fails to adequately sanitize or encode user-supplied input before reflecting it back in HTTP responses, allowing attackers to inject malicious scripts. This reflected XSS can be triggered without authentication (PR:N) and requires user interaction (UI:R), such as clicking a crafted URL. The vulnerability has a CVSS 3.1 base score of 7.1, indicating high severity, with an attack vector of network (AV:N), low attack complexity (AC:L), and scope change (S:C), meaning the vulnerability affects components beyond the initially vulnerable component. The impact includes partial confidentiality, integrity, and availability loss (C:L/I:L/A:L), as attackers can execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, credential theft, unauthorized actions on behalf of the user, or delivery of further malware. No known exploits are currently reported in the wild, and no patches have been linked yet, but the vulnerability is publicly disclosed and enriched by CISA. The lack of a patch at the time of disclosure necessitates immediate attention from users of wProject. Given the nature of reflected XSS, exploitation requires tricking users into clicking malicious links, often via phishing or social engineering. The scope change indicates that the vulnerability can affect other components or users beyond the initially targeted ones, potentially amplifying impact in multi-tenant or collaborative environments typical of project management software like wProject.

For European organizations using Rocket Apps wProject, this vulnerability poses significant risks, especially for those relying on the software for project management and collaboration. Exploitation could lead to unauthorized access to sensitive project data, leakage of confidential information, and compromise of user accounts. The reflected XSS can facilitate session hijacking or execution of malicious scripts that perform unauthorized actions, undermining data integrity and availability. This is particularly critical for organizations handling regulated data under GDPR, as breaches could result in compliance violations and financial penalties. Additionally, the vulnerability could be leveraged as an initial vector for broader network compromise if attackers use stolen credentials or session tokens to escalate privileges. The requirement for user interaction means that phishing campaigns targeting employees could be effective, increasing the threat surface. The scope change suggests that the vulnerability might impact multiple users or integrated systems, amplifying potential damage. Overall, the vulnerability threatens confidentiality, integrity, and availability of project management workflows, potentially disrupting business operations and damaging organizational reputation.

European organizations should immediately assess their use of Rocket Apps wProject and identify affected versions prior to 5.8.0. Until an official patch is released, implement the following mitigations: 1) Employ Web Application Firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting wProject endpoints. 2) Educate users about phishing risks and the dangers of clicking unsolicited links, emphasizing caution with URLs related to project management tools. 3) Implement Content Security Policy (CSP) headers to restrict execution of unauthorized scripts within the wProject web application context. 4) Conduct thorough input validation and output encoding on any custom integrations or plugins interfacing with wProject to reduce injection risks. 5) Monitor logs and network traffic for unusual patterns indicative of attempted exploitation, such as suspicious query parameters or repeated access attempts. 6) Prepare for rapid deployment of patches once available by establishing update procedures and testing environments. 7) Limit user privileges within wProject to the minimum necessary to reduce impact if an account is compromised. 8) Consider isolating wProject access to trusted networks or VPNs to reduce exposure to external attackers. These targeted actions go beyond generic advice by focusing on immediate risk reduction and user awareness tailored to the specific vulnerability context.