CVE-2025-45388 is a medium-severity vulnerability affecting Wagtail CMS version 6.4.1. The vulnerability is a Stored Cross-Site Scripting (XSS) flaw located in the document upload functionality of the CMS. Specifically, attackers can embed malicious JavaScript code inside a PDF file uploaded to the system. When an authenticated user clicks on the malicious document within the Wagtail CMS interface, the embedded payload executes in the user's browser context. This can lead to unauthorized actions such as session hijacking, data theft, or further exploitation within the CMS environment. The vulnerability is classified under CWE-79, which pertains to improper neutralization of input during web page generation. However, the supplier disputes the vulnerability's impact, noting that Wagtail itself does not control how uploaded files are served when using external storage solutions like AWS S3. In such cases, additional developer configuration is required to manage permissions and HTTP headers, which can mitigate or exacerbate the risk. The CVSS v3.1 base score is 6.1, indicating a medium severity level. The vector string (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) shows that the attack can be performed remotely over the network with low attack complexity, requires no privileges but does require user interaction (clicking the document), and affects confidentiality and integrity with a scope change. No known exploits are currently reported in the wild, and no patches are explicitly linked, suggesting that mitigation may rely on configuration and best practices rather than immediate software updates.

For European organizations using Wagtail CMS 6.4.1, this vulnerability poses a risk primarily to the confidentiality and integrity of data managed within the CMS. An attacker exploiting this flaw could execute arbitrary scripts in the context of CMS users, potentially leading to unauthorized access to sensitive content, user session hijacking, or manipulation of CMS data. This is particularly concerning for organizations that rely on Wagtail for managing public-facing websites or internal portals containing confidential information. The impact is heightened in environments where uploaded documents are served directly from Wagtail without proper isolation or sanitization, or where external storage configurations (e.g., AWS S3) are misconfigured, allowing malicious payloads to execute. Given that exploitation requires user interaction, the risk is mitigated somewhat by user awareness, but the potential for phishing or social engineering attacks remains. The scope change in the CVSS vector indicates that the vulnerability could affect resources beyond the initially vulnerable component, potentially compromising other parts of the CMS or connected systems. Overall, the vulnerability could disrupt business operations, damage organizational reputation, and lead to data breaches if exploited.

1. Review and harden the configuration of file storage and serving mechanisms, especially when using external services like AWS S3. Ensure that permissions and HTTP headers (e.g., Content-Type, Content-Disposition, Content-Security-Policy) are correctly set to prevent execution of embedded scripts in uploaded documents. 2. Implement strict validation and sanitization of uploaded files, including scanning PDFs for embedded scripts or suspicious content before allowing them to be uploaded or served. 3. Restrict document access within the CMS interface to trusted users only and consider implementing additional authentication or authorization controls around document viewing. 4. Educate CMS users about the risks of clicking on uploaded documents and encourage cautious behavior to reduce the likelihood of successful social engineering. 5. Monitor CMS logs and user activity for unusual access patterns or repeated document clicks that could indicate exploitation attempts. 6. Stay updated with Wagtail CMS releases and community advisories for any patches or official mitigations addressing this vulnerability. 7. If feasible, isolate document serving from the main CMS interface or use sandboxing techniques to limit the impact of any malicious payload execution.