CVE-2025-55287 is a high-severity authenticated stored Cross-Site Scripting (XSS) vulnerability affecting versions of the MGeurts genealogy PHP application prior to 4.4.0. The vulnerability arises from improper neutralization of user-supplied input during web page generation (CWE-79). Specifically, authenticated attackers can inject malicious JavaScript code that is stored persistently within the application and executed in the context of other users’ sessions when they view the affected content. This allows the attacker to hijack user sessions, steal sensitive data, and manipulate the user interface. The vulnerability requires the attacker to have authenticated access, and exploitation involves user interaction, such as another user viewing the injected content. The CVSS 3.0 base score of 8.0 reflects the high impact on confidentiality, integrity, and availability, combined with relatively low attack complexity and no requirement for privileges beyond authentication. The flaw is fixed in version 4.4.0 of the application. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk to organizations using vulnerable versions of the MGeurts genealogy software.

For European organizations, particularly those involved in genealogy research, family history services, or cultural heritage institutions using the MGeurts genealogy application, this vulnerability could lead to severe consequences. Exploitation could result in unauthorized access to personal and genealogical data, which often includes sensitive personal information protected under GDPR. Session hijacking could allow attackers to impersonate legitimate users, potentially leading to further unauthorized data access or manipulation. UI manipulation could undermine user trust and damage organizational reputation. Given the nature of genealogy data, the breach of confidentiality could have privacy implications for European citizens. Additionally, if the application is integrated with other systems or used in multi-user environments, the scope of impact could extend beyond the genealogy platform itself. The requirement for authentication limits exposure to some extent, but insider threats or compromised credentials could facilitate exploitation.

Organizations should immediately upgrade the MGeurts genealogy application to version 4.4.0 or later, where the vulnerability is patched. Until the upgrade is applied, implement strict input validation and output encoding on all user-supplied data within the application to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Conduct regular audits of user-generated content to detect and remove any malicious scripts. Enforce strong authentication mechanisms and monitor for suspicious login activities to reduce the risk of attacker access. Educate users about the risks of clicking on untrusted links or content within the genealogy platform. Additionally, consider isolating the genealogy application environment and restricting access to trusted users only. Implement web application firewalls (WAF) with rules targeting XSS attack patterns to provide an additional layer of defense.