CVE-2025-54299 is a critical stored Cross-Site Scripting (XSS) vulnerability identified in the No Boss Testimonials component versions 1.0.0 through 3.0.0 and 4.0.0 through 4.0.2 for the Joomla content management system. This vulnerability arises due to improper neutralization of input during web page generation (CWE-79), allowing an attacker to inject malicious scripts that are stored persistently within the application. When a legitimate user accesses the affected page, the malicious script executes in their browser context, potentially leading to session hijacking, credential theft, defacement, or unauthorized actions performed on behalf of the user. The vulnerability is exploitable remotely without authentication (AV:N/AC:L/PR:N), requiring only user interaction (UI:P) such as visiting a compromised page. The CVSS 4.0 base score of 9.4 reflects the high impact on confidentiality, integrity, and availability, with high scope and vector complexity. No known exploits are currently reported in the wild, but the severity and ease of exploitation make this a significant threat. Joomla is widely used in Europe for websites ranging from small businesses to government portals, and the No Boss Testimonials component is popular for displaying customer feedback, increasing the attack surface. The lack of available patches at the time of disclosure further elevates the risk for affected installations.

For European organizations, this vulnerability poses a substantial risk to web applications relying on Joomla with the No Boss Testimonials component. Exploitation can lead to theft of sensitive user data, including authentication tokens and personal information, undermining user trust and potentially violating GDPR requirements. Attackers could leverage the vulnerability to conduct phishing campaigns, spread malware, or pivot to internal networks if administrative credentials are compromised. Public-facing websites of SMEs, e-commerce platforms, and public sector entities are particularly vulnerable, potentially resulting in reputational damage, financial losses, and regulatory penalties. The critical severity and remote exploitability without authentication mean that attackers can target these organizations en masse, especially those slow to update or lacking robust web application firewalls. The persistence of stored XSS also increases the likelihood of repeated exploitation and automated attacks.

Organizations should immediately audit their Joomla installations to identify the presence of the No Boss Testimonials component in the affected versions. Until an official patch is released, applying virtual patches via web application firewalls (WAFs) that detect and block suspicious input patterns related to testimonials submission is recommended. Input validation and output encoding should be enforced at the application level to neutralize malicious scripts. Administrators should restrict user permissions to limit who can submit testimonials and monitor logs for unusual activity. Regular backups and incident response plans should be updated to handle potential exploitation. Additionally, organizations should subscribe to vendor advisories for prompt patch deployment once available. Employing Content Security Policy (CSP) headers can also mitigate the impact of XSS by restricting script execution contexts.