CVE-2025-50048 is a Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the Atakan Au product 'Automatically Hierarchic Categories in Menu' up to version 2.0.9. This vulnerability arises from improper neutralization of input during web page generation, allowing an attacker to inject malicious scripts that are stored and later executed in the context of users viewing the affected web pages. The vulnerability has a CVSS v3.1 base score of 6.5, indicating a medium severity level. The vector string (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be performed remotely over the network with low attack complexity, requires low privileges, and user interaction is necessary. The scope is changed, meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability to a limited extent. Specifically, an attacker could execute arbitrary JavaScript in the victim's browser, potentially stealing session tokens, manipulating page content, or performing actions on behalf of the user. Since this is a stored XSS, the malicious payload persists on the server and affects multiple users. No known exploits are currently reported in the wild, and no patches or updates have been linked yet. The vulnerability is present in a niche product used to manage hierarchical categories in menus, likely within web content management systems or e-commerce platforms. The affected versions are not explicitly detailed beyond 'up to 2.0.9', and no specific version 'n/a' is clarified, suggesting all versions up to 2.0.9 are vulnerable. The vulnerability was published on June 20, 2025, with the reservation date on June 11, 2025, indicating recent discovery and disclosure.

For European organizations, this vulnerability poses a moderate risk primarily to web applications utilizing the Atakan Au 'Automatically Hierarchic Categories in Menu' plugin or module. Exploitation could lead to session hijacking, unauthorized actions performed by authenticated users, and potential data leakage within affected web applications. This can undermine user trust, lead to regulatory non-compliance (e.g., GDPR breaches if personal data is exposed), and cause reputational damage. The impact is particularly significant for sectors relying heavily on web portals with hierarchical menu structures, such as e-commerce, government services, and media companies. Since the vulnerability requires low privileges but user interaction, phishing or social engineering could facilitate exploitation. The changed scope means that the vulnerability could affect multiple components or user roles beyond the initial vector, increasing the risk surface. However, the absence of known exploits and the medium severity rating suggest that immediate widespread impact is limited but should not be ignored. Organizations with public-facing web applications using this product are at higher risk, especially if they have not implemented input validation or content security policies.

1. Immediate mitigation should include implementing strict input validation and output encoding on all user-supplied data within the 'Automatically Hierarchic Categories in Menu' component to neutralize malicious scripts. 2. Employ Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 3. Conduct a thorough audit of all web pages generated by the affected product to identify and sanitize stored inputs. 4. Monitor web application logs for unusual input patterns or user behavior indicative of attempted XSS exploitation. 5. If possible, isolate or disable the vulnerable module until a vendor patch is released. 6. Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content to reduce the likelihood of successful user interaction exploitation. 7. Implement multi-factor authentication (MFA) to reduce the impact of session hijacking. 8. Stay alert for vendor updates or patches and apply them promptly once available. 9. Use web application firewalls (WAFs) with custom rules to detect and block common XSS payloads targeting this component.