CVE-2025-48365 is a medium-severity vulnerability classified under CWE-79, which corresponds to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This vulnerability affects the 'Custom Comment' product developed by imaprogrammer, up to version 2.1.6. The flaw allows an attacker to inject malicious scripts that are stored persistently on the target system and later executed in the context of users viewing the affected web pages. Specifically, this is a Stored XSS vulnerability, meaning that the malicious payload is saved on the server and served to users, increasing the attack's persistence and impact. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L) indicates that the attack can be performed remotely over the network with low attack complexity, but requires high privileges and user interaction. The vulnerability impacts confidentiality, integrity, and availability to a limited extent, as it can lead to session hijacking, defacement, or denial of service. The vulnerability was published on August 28, 2025, and no known exploits are currently in the wild. No patches or fixes have been linked yet, which suggests that affected organizations should prioritize mitigation and monitoring. The vulnerability affects web applications that use the Custom Comment plugin/module, which is likely integrated into content management systems or custom web platforms that allow user-generated comments. The root cause is insufficient input sanitization or output encoding when rendering user comments, allowing malicious JavaScript to be injected and executed in other users' browsers.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on the imaprogrammer Custom Comment product to manage user interactions on their websites or intranet portals. Exploitation could lead to unauthorized access to user sessions, theft of sensitive information such as authentication tokens, or manipulation of displayed content, undermining user trust and potentially violating data protection regulations like GDPR. The vulnerability's ability to affect confidentiality, integrity, and availability—even if limited—means that organizations could face reputational damage, legal consequences, and operational disruptions. Sectors such as e-commerce, government portals, educational institutions, and media outlets that use this commenting system are particularly at risk. The requirement for high privileges to exploit the vulnerability somewhat limits the attack surface to insiders or compromised accounts, but the stored nature of the XSS means that once injected, any user viewing the affected pages could be impacted. This persistent threat vector increases the risk of widespread impact within organizations and their user base.

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, conduct a thorough audit of all input handling and output encoding related to the Custom Comment functionality, ensuring that all user inputs are properly sanitized and encoded before rendering. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. Limit user privileges rigorously to reduce the risk of high-privilege accounts being compromised and used to inject malicious content. Implement web application firewalls (WAFs) with rules specifically designed to detect and block XSS payloads targeting the Custom Comment module. Monitor logs and user activity for unusual comment submissions or script injections. Educate users and administrators about the risks of XSS and the importance of cautious interaction with user-generated content. Finally, plan for timely application of patches or updates from the vendor once they become available, and consider alternative commenting solutions if the risk is deemed unacceptable.