CVE-2025-49889 is a medium severity vulnerability classified under CWE-79, which pertains to improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). Specifically, this vulnerability affects the 'Custom Comment' product developed by imaprogrammer, up to version 2.1.6. The flaw allows an attacker to inject malicious scripts that are stored persistently (Stored XSS) within the application. When other users access the affected web pages containing these comments, the malicious scripts execute in their browsers. This can lead to unauthorized actions such as session hijacking, defacement, or redirection to malicious sites. The CVSS 3.1 base score is 5.9, indicating a medium severity level, with the vector AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L. This means the attack can be performed remotely over the network with low attack complexity but requires high privileges and user interaction, and the vulnerability affects confidentiality, integrity, and availability to a limited extent with a scope change. No patches or known exploits in the wild have been reported yet. The vulnerability arises from insufficient input sanitization or encoding when generating web pages that display user-submitted comments, allowing malicious payloads to be stored and later executed in the context of other users' browsers.

For European organizations using the imaprogrammer Custom Comment system, this vulnerability poses a risk primarily to web applications that rely on user-generated content for interaction, such as forums, blogs, or customer feedback portals. Exploitation could lead to theft of user credentials, session tokens, or personal data, violating GDPR and other data protection regulations. The integrity of the web content could be compromised, damaging organizational reputation and trust. Availability impact is limited but possible if the injected scripts perform disruptive actions. Since the vulnerability requires high privileges and user interaction, the risk is somewhat mitigated but still significant in environments where privileged users interact with the comment system. The cross-site scripting vulnerability could also be leveraged as a foothold for further attacks within the network, especially in organizations with interconnected systems.

Organizations should immediately audit their use of the imaprogrammer Custom Comment product and upgrade to a patched version once available. In the absence of a patch, implement strict input validation and output encoding on all user-supplied data before rendering it in web pages. Employ Content Security Policy (CSP) headers to restrict script execution sources and reduce the impact of XSS attacks. Limit privileges of users who can submit or approve comments to reduce the risk of exploitation. Conduct regular security testing, including automated scanning and manual code reviews focused on input handling. Additionally, monitor web logs for suspicious activity indicative of XSS attempts. Educate users, especially those with high privileges, about the risks of interacting with untrusted content. Finally, consider implementing web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this product.