CVE-2025-51965 is a Cross-Site Scripting (XSS) vulnerability affecting OURPHP versions through 8.6.1. The vulnerability exists in the "Name" field of the "Complete Profile" functionality located under the "My User Center" page, which is accessible after user registration via the front-end interface. This XSS flaw is classified under CWE-79, indicating improper neutralization of input during web page generation. An attacker can exploit this vulnerability by injecting malicious scripts into the "Name" field, which are then executed in the context of other users viewing the affected page or potentially by the victim user themselves. The CVSS v3.1 base score is 6.1 (medium severity), with the vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that the attack can be performed remotely over the network with low attack complexity, no privileges required, but requires user interaction (such as the victim visiting a crafted page). The scope is changed (S:C), meaning the vulnerability affects resources beyond the vulnerable component. The impact affects confidentiality and integrity to a limited extent, with no impact on availability. No known exploits are currently reported in the wild, and no patches or fixes are linked yet. This vulnerability can be leveraged to steal session tokens, perform actions on behalf of users, or conduct phishing attacks by injecting malicious scripts that run in the victim's browser context.

For European organizations using OURPHP CMS or web applications built on it, this vulnerability poses a moderate risk. Exploitation could lead to theft of user credentials, session hijacking, or unauthorized actions performed on behalf of users, potentially leading to data breaches or unauthorized access to sensitive information. Since the vulnerability requires user interaction, phishing or social engineering campaigns could be used to lure users into triggering the malicious payload. Organizations handling personal data under GDPR must be cautious as exploitation could lead to data confidentiality breaches and regulatory non-compliance. The impact is particularly significant for organizations with customer-facing portals or intranet systems where user profiles are managed. The vulnerability could also be used as a foothold for further attacks within the network if combined with other vulnerabilities or social engineering tactics.

1. Immediate mitigation should include input validation and output encoding on the "Name" field in the "Complete Profile" functionality to neutralize any injected scripts. 2. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. 3. Apply strict sanitization libraries or frameworks that automatically escape user input before rendering it in HTML. 4. Educate users to be cautious of suspicious links or inputs that could trigger XSS attacks. 5. Monitor web application logs for unusual input patterns or repeated attempts to inject scripts. 6. If possible, restrict the "Name" field input to alphanumeric characters and a limited set of safe symbols. 7. Since no official patch is currently available, consider temporary workarounds such as disabling the vulnerable "Complete Profile" functionality or restricting access to it until a fix is released. 8. Regularly check for updates from OURPHP developers and apply patches promptly once available.