CVE-2025-40977 is a stored Cross-Site Scripting (XSS) vulnerability identified in WorkDo's eCommerceGo SaaS platform, affecting all versions. The vulnerability stems from improper neutralization of user-supplied input during web page generation, specifically in the handling of the 'subject' and 'description' parameters sent via POST requests to the '/store-ticket' endpoint. Because the input is not properly sanitized or encoded, malicious scripts can be injected and stored on the server, which are then executed in the browsers of users who view the affected content. This type of vulnerability can allow attackers to perform actions such as session hijacking, cookie theft, defacement, or redirecting users to malicious sites. The CVSS 4.0 vector indicates the attack can be performed remotely (AV:N) with low attack complexity (AC:L), does not require privileges (PR:L) but does require user interaction (UI:P). The impact on confidentiality, integrity, and availability is limited but present, with low scope and impact on confidentiality and integrity, and no impact on availability. No patches are currently available, and no known exploits have been reported in the wild. The vulnerability was assigned by INCIBE and published in January 2026. Given the SaaS nature of the product, the vulnerability could affect multiple tenants and users simultaneously if exploited.

For European organizations using WorkDo eCommerceGo SaaS, this vulnerability poses a risk of client-side attacks that can compromise user sessions, steal sensitive information such as authentication tokens, or perform unauthorized actions on behalf of users. This can lead to reputational damage, loss of customer trust, and potential regulatory consequences under GDPR if personal data is compromised. The stored nature of the XSS increases risk as malicious payloads persist and affect multiple users over time. Since the SaaS platform is likely used by eCommerce businesses, attackers could leverage this vulnerability to manipulate transactions, inject fraudulent content, or disrupt customer interactions. The medium severity indicates a moderate risk, but the widespread use of SaaS in Europe and the critical nature of eCommerce platforms amplify the potential impact. Organizations may also face increased phishing or social engineering risks if attackers use the vulnerability to inject deceptive content.

Organizations should implement strict input validation and sanitization on the server side for the 'subject' and 'description' parameters in the '/store-ticket' endpoint to neutralize any malicious scripts. Employing context-aware output encoding (e.g., HTML entity encoding) before rendering user input in web pages is critical to prevent script execution. Applying Content Security Policy (CSP) headers can reduce the impact of XSS by restricting the sources of executable scripts. Monitoring and logging ticket submissions for suspicious patterns can help detect exploitation attempts early. Since no patches are currently available, organizations should work with WorkDo to prioritize patch development and deployment. Additionally, educating users about the risks of interacting with unexpected or suspicious content can reduce the likelihood of successful exploitation. Regular security assessments and penetration testing of the SaaS environment can help identify residual or related vulnerabilities.