CVE-2025-59117 identifies a Stored Cross-Site Scripting (XSS) vulnerability in Windu CMS, an open-source content management system. The vulnerability exists in the page editing endpoint located at windu/admin/content/pages/edit/. It arises from improper neutralization of input during web page generation, classified under CWE-79. Specifically, privileged users can inject malicious scripts into page content that are stored persistently and executed when viewed by other users, particularly those with higher privileges. This can lead to session hijacking, privilege escalation, or unauthorized actions within the CMS. The vulnerability was confirmed in version 4.1 and fixed in build 2250 of the same version. The CVSS 4.0 base score is 4.8 (medium severity), reflecting network attack vector, low attack complexity, no authentication required beyond privileged user access, and user interaction needed to trigger the exploit. The vulnerability does not affect confidentiality, integrity, or availability directly but can be leveraged to compromise user sessions and escalate privileges. No known exploits are currently in the wild, but the presence of stored XSS in a CMS used for web content management poses a significant risk if exploited. The vulnerability was assigned and published by CERT-PL, indicating active monitoring and response in European cybersecurity communities.

For European organizations, this vulnerability poses a moderate risk primarily to the confidentiality and integrity of web content and user sessions within Windu CMS environments. Attackers with privileged user access can inject malicious scripts that execute in the browsers of higher-privileged users, potentially leading to session hijacking, unauthorized content modification, or further privilege escalation. This can disrupt internal workflows, compromise sensitive administrative functions, and lead to data leakage or defacement of web properties. Although the vulnerability does not directly impact availability, the indirect consequences of compromised administrative accounts can be severe. Organizations relying on Windu CMS for critical web presence or internal portals should consider this a significant risk, especially if privileged user accounts are not tightly controlled. The absence of known exploits reduces immediate threat but does not eliminate risk, as stored XSS vulnerabilities are commonly targeted once disclosed. European entities with compliance obligations around data protection and integrity (e.g., GDPR) may face regulatory consequences if exploited.

1. Upgrade Windu CMS to version 4.1 build 2250 or later, where the vulnerability is fixed. 2. Restrict privileged user access strictly using the principle of least privilege and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. Implement Content Security Policy (CSP) headers to limit the impact of potential XSS payloads by restricting script execution sources. 4. Conduct regular security audits and code reviews of CMS customizations to detect and remediate unsafe input handling. 5. Monitor CMS logs for unusual activity indicative of attempted exploitation, such as unexpected script injections or privilege escalations. 6. Educate privileged users about the risks of XSS and safe content editing practices. 7. Employ web application firewalls (WAF) with rules tuned to detect and block XSS payloads targeting Windu CMS endpoints. 8. Consider isolating CMS administrative interfaces behind VPNs or IP whitelisting to reduce exposure.