CVE-2025-57954 is a medium severity vulnerability classified under CWE-79, which pertains to improper neutralization of input during web page generation, commonly known as Cross-site Scripting (XSS). Specifically, this vulnerability affects the Ays Pro Poll Maker product, versions up to and including 6.0.1. The vulnerability is a DOM-based XSS, meaning that the malicious script injection occurs on the client side when the web application processes data in the Document Object Model (DOM) without proper sanitization or encoding. An attacker can exploit this by crafting a malicious URL or input that, when processed by the Poll Maker application, executes arbitrary JavaScript in the context of the victim's browser. The CVSS v3.1 base score is 6.5, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) reveals that the attack can be launched remotely over the network with low attack complexity, requires the attacker to have some privileges (PR:L) and user interaction (UI:R), and the scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact affects confidentiality, integrity, and availability to a limited extent (C:L/I:L/A:L). No known exploits are currently in the wild, and no patches have been linked yet. The vulnerability could allow attackers to steal session tokens, perform actions on behalf of authenticated users, or manipulate the web interface, potentially leading to further compromise or data leakage.

For European organizations using Ays Pro Poll Maker, this vulnerability poses a risk of client-side attacks that can compromise user sessions and data integrity. Since Poll Maker is often used for creating interactive polls and surveys, attackers exploiting this XSS flaw could inject malicious scripts that hijack user sessions, steal sensitive information, or manipulate poll results, undermining trust and data accuracy. The scope change in the vulnerability means that the impact could extend beyond the Poll Maker application itself, potentially affecting other integrated systems or user accounts. This is particularly concerning for organizations handling personal data under GDPR regulations, as exploitation could lead to unauthorized data disclosure and regulatory penalties. Additionally, the requirement for some privileges and user interaction means that insider threats or targeted phishing campaigns could leverage this vulnerability effectively. The lack of known exploits currently provides a window for mitigation, but the presence of this vulnerability in a web-facing application increases the attack surface for European entities relying on this software for customer engagement or internal feedback mechanisms.

Organizations should prioritize the following mitigation steps: 1) Immediately audit and inventory all deployments of Ays Pro Poll Maker to identify affected versions (up to 6.0.1). 2) Apply any available patches or updates from the vendor as soon as they are released. In the absence of official patches, implement web application firewall (WAF) rules to detect and block suspicious input patterns that could trigger DOM-based XSS. 3) Conduct a thorough review of input handling and output encoding in the Poll Maker application, focusing on client-side scripts that manipulate the DOM. 4) Educate users and administrators about the risks of clicking on untrusted links or inputs that could trigger XSS attacks, especially since user interaction is required. 5) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS payloads. 6) Monitor logs and user activity for signs of exploitation attempts, such as unusual URL parameters or script execution errors. 7) Consider isolating the Poll Maker application or restricting its access to trusted networks until the vulnerability is remediated to reduce exposure.