CVE-2025-50754 is a critical security vulnerability identified in Unisite CMS version 5.0, specifically within its "Report" functionality. The vulnerability is a stored Cross-Site Scripting (XSS) flaw that allows an attacker to inject malicious scripts into the system. When an administrator views the compromised report, the malicious script executes in the context of the admin panel, enabling the attacker to hijack the administrator's session. This session hijacking is a pivotal step that grants the attacker elevated privileges within the CMS environment. Leveraging these privileges, the attacker can access the template editor feature of the CMS, which is intended for modifying website templates. Through this editor, the attacker can upload and execute a PHP web shell on the server. The web shell provides a backdoor for the attacker, allowing full remote code execution (RCE) on the server hosting the CMS. This chain of exploitation—from stored XSS to session hijacking to RCE—makes this vulnerability particularly dangerous. The absence of a CVSS score indicates that this vulnerability is newly disclosed, but the technical details clearly demonstrate a high-impact threat vector. The vulnerability requires that an attacker can submit malicious input to the report functionality and that an administrator views the infected report, implying some level of user interaction is necessary. However, once exploited, the attacker gains complete control over the server, which can lead to data theft, defacement, lateral movement within the network, or deployment of further malware.

For European organizations using Unisite CMS version 5.0, this vulnerability poses a severe risk. The ability to execute arbitrary code on the server compromises the confidentiality, integrity, and availability of the affected systems. Sensitive data managed by the CMS, including customer information, internal reports, and administrative credentials, could be exfiltrated or manipulated. The attacker’s ability to maintain persistence via a web shell increases the risk of prolonged undetected access, enabling espionage or sabotage. Given that the attack vector involves the admin panel, organizations with multiple administrators or less stringent access controls are at higher risk. The exploitation could disrupt business operations, damage reputation, and lead to regulatory penalties under GDPR if personal data is compromised. Additionally, the vulnerability could be leveraged as a foothold for broader network compromise, affecting interconnected systems and services. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the severity of the vulnerability demands immediate attention.

European organizations should prioritize the following mitigation steps: 1) Immediate patching or upgrading to a fixed version of Unisite CMS once available. In the absence of an official patch, apply virtual patching via Web Application Firewalls (WAFs) configured to detect and block malicious scripts targeting the report functionality. 2) Restrict access to the admin panel using network segmentation, IP whitelisting, and multi-factor authentication (MFA) to reduce the risk of session hijacking. 3) Implement strict input validation and output encoding on all user-submitted content, especially in the report module, to prevent injection of malicious scripts. 4) Regularly audit and monitor server logs and CMS activity for unusual behavior indicative of web shell deployment or unauthorized access. 5) Disable or tightly control the template editor functionality, limiting its use to trusted administrators and monitoring changes closely. 6) Conduct security awareness training for administrators to recognize suspicious activity and avoid interacting with untrusted reports. 7) Employ endpoint detection and response (EDR) tools on servers hosting the CMS to detect and respond to anomalous processes or file changes associated with web shells.