CVE-2025-43797 is a medium-severity vulnerability affecting multiple versions of Liferay Portal and Liferay DXP, including versions 7.1.0 through 7.4.3.111 and various 2023 quarterly releases. The core issue stems from the insecure default initialization of a newly created site's membership type, which is set to “Open” by default. This configuration allows any registered user on the platform to automatically become a member of the site without explicit approval or restriction. Once a remote attacker gains site membership, they can potentially view, add, or edit content within the site, leading to unauthorized data modification and information disclosure. The vulnerability is classified under CWE-1188, which relates to insecure default initialization of resources, indicating a design flaw where default settings are overly permissive. The CVSS 4.0 base score of 5.3 reflects a medium severity, with an attack vector of network (AV:N), low attack complexity (AC:L), no required authentication (AT:N), no user interaction (UI:N), and limited impact on confidentiality and integrity (VC:L, VI:L), but no impact on availability or authorization scope. No known exploits are currently reported in the wild, and no patches are linked yet, suggesting that organizations should proactively review and adjust default site membership settings to mitigate risk. This vulnerability can be exploited remotely by any registered user, making it a significant concern for environments with many users or where user registration is open or lightly controlled.

For European organizations using Liferay Portal or Liferay DXP, this vulnerability could lead to unauthorized access and modification of sensitive or business-critical content hosted on internal or public-facing portals. The ability for any registered user to join sites by default increases the risk of insider threats or external attackers registering accounts to exploit the vulnerability. This can result in data integrity issues, leakage of confidential information, and potential disruption of business operations relying on portal content. Organizations in sectors such as government, finance, healthcare, and education—where Liferay is commonly deployed—may face compliance risks under GDPR if personal or sensitive data is exposed or altered without authorization. The medium severity score indicates that while the vulnerability is not trivially exploitable to cause full system compromise, it still poses a meaningful risk to confidentiality and integrity of portal content, which can undermine trust and operational continuity.

European organizations should immediately audit their Liferay Portal and DXP deployments to identify sites with default “Open” membership settings. Administrators should change the default membership type for newly created sites from “Open” to more restrictive options such as “Private” or “Restricted,” requiring explicit approval for membership. Implement strict user registration controls and verification processes to limit the creation of unauthorized accounts. Employ role-based access controls (RBAC) and regularly review site membership lists to detect and remove unauthorized users. Monitor portal logs for unusual membership changes or content modifications. Where possible, apply vendor patches or updates once released. Additionally, consider deploying web application firewalls (WAFs) with custom rules to detect anomalous site membership activities. Conduct user awareness training to highlight risks associated with open membership policies. Finally, integrate vulnerability scanning and configuration management tools to continuously detect and remediate insecure default settings in Liferay environments.