CVE-2025-60133 is a medium severity vulnerability classified under CWE-79, which pertains to Improper Neutralization of Input During Web Page Generation, commonly known as Cross-site Scripting (XSS). This specific vulnerability affects the PE Easy Slider product developed by DJ-Extensions.com, up to version 1.1.0. The vulnerability is a Stored XSS flaw, meaning that malicious input submitted by an attacker is stored persistently by the application and later rendered in web pages without proper sanitization or encoding. This allows attackers to inject malicious scripts that execute in the browsers of users who view the affected pages. The CVSS 3.1 base score is 5.9, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L) reveals that the attack is network exploitable (AV:N) with low attack complexity (AC:L), but requires high privileges (PR:H) and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact on confidentiality, integrity, and availability is low to moderate (C:L/I:L/A:L). No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability arises because the PE Easy Slider component does not properly neutralize user-supplied input during web page generation, allowing stored malicious scripts to be executed in the context of users’ browsers, potentially leading to session hijacking, defacement, or redirection to malicious sites.

For European organizations using DJ-Extensions.com PE Easy Slider, this vulnerability poses a risk of client-side attacks that can compromise user sessions and data confidentiality. Since the vulnerability requires high privileges to exploit and user interaction, the threat is somewhat limited to authenticated users who can input content into the slider component. However, if exploited, attackers could execute arbitrary JavaScript in the context of the affected website, potentially stealing cookies, performing actions on behalf of users, or spreading malware. This can lead to reputational damage, loss of customer trust, and regulatory consequences under GDPR if personal data is compromised. Organizations in sectors with high web presence such as e-commerce, media, and public services are particularly at risk. The changed scope indicates that the impact could extend beyond the immediate application, possibly affecting integrated systems or services. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers often develop exploits after public disclosure.

European organizations should prioritize the following mitigations: 1) Immediately audit the use of PE Easy Slider on their websites and identify versions up to 1.1.0. 2) Apply any available patches or updates from DJ-Extensions.com as soon as they are released. In the absence of patches, implement input validation and output encoding on all user-supplied content rendered by the slider to neutralize malicious scripts. 3) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of XSS attacks. 4) Limit user privileges to the minimum necessary to reduce the risk posed by high privilege requirements. 5) Conduct regular security testing, including automated scanning and manual penetration testing focused on XSS vulnerabilities in web components. 6) Educate users and administrators about the risks of clicking on suspicious links or interacting with untrusted content. 7) Monitor web application logs for unusual activities that could indicate exploitation attempts. 8) Consider isolating or replacing the vulnerable component if immediate patching is not feasible.