CVE-2025-47662 is a Stored Cross-site Scripting (XSS) vulnerability classified under CWE-79, affecting the Woobox platform up to version 1.6. Woobox is a marketing and engagement platform that allows users to create interactive campaigns such as contests, polls, and promotions. The vulnerability arises due to improper neutralization of input during web page generation, meaning that user-supplied data is not correctly sanitized or encoded before being rendered in the web interface. This flaw enables an attacker to inject malicious scripts that are stored on the server and executed in the browsers of users who view the affected pages. The CVSS 3.1 base score is 6.5 (medium severity), with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), user interaction (UI:R), scope changed (S:C), and low impact on confidentiality, integrity, and availability (C:L/I:L/A:L). The scope change indicates that the vulnerability affects resources beyond the initially vulnerable component. Exploitation requires an attacker with some level of privileges on the platform and user interaction to trigger the malicious script. Although no known exploits are currently reported in the wild, the vulnerability poses a risk of session hijacking, defacement, or redirection to malicious sites, potentially compromising user accounts and data integrity within the Woobox environment. Given Woobox’s role in managing marketing campaigns, exploitation could also lead to reputational damage and loss of customer trust.

For European organizations using Woobox, this vulnerability could lead to unauthorized script execution within the context of their marketing campaigns or user interactions. This may result in theft of session tokens, unauthorized actions performed on behalf of users, or delivery of malicious payloads to end users. The impact extends to potential data leakage, manipulation of campaign content, and disruption of marketing activities. Organizations relying on Woobox for customer engagement risk reputational harm and regulatory scrutiny under GDPR if personal data is compromised. The requirement for attacker privileges and user interaction somewhat limits the ease of exploitation; however, insider threats or compromised accounts could be leveraged to exploit this vulnerability. The scope change in the CVSS vector suggests that the vulnerability could affect multiple components or users beyond the initially compromised area, increasing the potential breadth of impact within an organization.

To mitigate this vulnerability, European organizations should prioritize updating Woobox to a patched version once available, as no patch links are currently provided. In the interim, organizations should implement strict input validation and output encoding on all user-supplied data within Woobox, particularly in campaign creation and management interfaces. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of potential XSS payloads. Regularly audit user privileges and enforce the principle of least privilege to minimize the risk of attackers gaining the necessary access to exploit this vulnerability. Additionally, monitor logs for unusual activity indicative of XSS exploitation attempts and educate users about the risks of interacting with suspicious campaign content. If feasible, isolate Woobox instances from critical internal networks to limit lateral movement in case of compromise.