CVE-2025-54299 is a critical stored Cross-site Scripting (XSS) vulnerability identified in the No Boss Testimonials component for Joomla, versions 1.0.0 through 3.0.0 and 4.0.0 through 4.0.2. This component, developed by nobossextensions.com, is used to manage and display user testimonials on Joomla-powered websites. The vulnerability arises from improper neutralization of input during web page generation (CWE-79), allowing an attacker to inject malicious scripts that are stored persistently within the application. When other users or administrators view the affected pages, the malicious scripts execute in their browsers within the context of the vulnerable site. The CVSS 4.0 base score is 9.4 (critical), reflecting the vulnerability's high impact and ease of exploitation: it requires no privileges or authentication and no user interaction beyond visiting a compromised page. The vulnerability affects confidentiality, integrity, and availability, as attackers can steal session tokens, perform actions on behalf of users, or deface content. Although no known exploits are currently reported in the wild, the high severity and public disclosure necessitate immediate attention. The lack of available patches at the time of publication increases the urgency for mitigation. Joomla sites using this component are at risk, especially those that allow public submission of testimonials or have insufficient input validation and output encoding controls.

For European organizations, this vulnerability poses significant risks, particularly for businesses, government agencies, and NGOs relying on Joomla websites with the No Boss Testimonials component. Exploitation could lead to session hijacking, unauthorized actions, data theft, or reputational damage through defacement or malicious content injection. Given the critical CVSS score and the component's role in user-generated content, attackers could leverage this flaw to target employees or customers via phishing or social engineering campaigns. The impact is heightened in sectors with strict data protection regulations such as GDPR, where data breaches can result in substantial fines and legal consequences. Additionally, compromised websites may be used as vectors for further attacks within organizational networks or to distribute malware. The vulnerability's presence in multiple component versions broadens the attack surface, affecting a wide range of Joomla installations across Europe.

Organizations should immediately audit their Joomla installations to identify the presence of the No Boss Testimonials component in the affected versions (1.0.0-3.0.0 and 4.0.0-4.0.2). Until an official patch is released, practical mitigations include disabling or uninstalling the vulnerable component to eliminate the attack vector. Implement strict input validation and output encoding on all user-submitted content fields related to testimonials to prevent script injection. Employ Web Application Firewalls (WAFs) with rules designed to detect and block XSS payloads targeting the component. Regularly monitor web server logs and application behavior for suspicious activities indicative of exploitation attempts. Educate site administrators and users about the risks of XSS and encourage cautious handling of links and content from untrusted sources. Once patches become available, prioritize prompt testing and deployment. Additionally, consider implementing Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts on affected web pages.