CVE-2025-60299 identifies a stored Cross-Site Scripting (XSS) vulnerability in the Novel-Plus application version 5.2.0. The vulnerability exists in the /book/addCommentReply endpoint, where an authenticated user can inject malicious JavaScript code through the replyContent parameter when replying to book comments. Because the payload is stored in the backend database, it is persistently served to other users who view the affected comment thread, causing the malicious script to execute in their browsers. This type of stored XSS can lead to severe consequences such as session hijacking, theft of sensitive information, unauthorized actions performed with the victim's privileges, and potential spread of malware. The vulnerability requires the attacker to be authenticated, which limits exploitation to users with accounts, but no further user interaction is needed beyond viewing the infected comment thread. No CVSS score has been assigned yet, and no public exploits or patches have been reported. The lack of patch links suggests that remediation is pending or in development. The vulnerability highlights insufficient input sanitization and output encoding in the replyContent parameter, allowing script injection. Given the nature of Novel-Plus as a platform facilitating user-generated content and interactions, this vulnerability could be leveraged to target a broad user base, especially in environments where users trust the platform and its content. The stored XSS vector is particularly dangerous because it persists and affects multiple users over time, increasing the potential impact.

For European organizations using Novel-Plus 5.2.0, this vulnerability poses a significant risk to user confidentiality and integrity. Attackers with authenticated access can inject malicious scripts that execute in other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions such as changing user settings or posting malicious content. This can erode user trust, damage organizational reputation, and lead to compliance issues under regulations like GDPR if personal data is compromised. The persistent nature of stored XSS means that once exploited, multiple users can be affected over time, amplifying the impact. Additionally, if Novel-Plus is used in educational, publishing, or community platforms popular in Europe, the scale of affected users could be substantial. The vulnerability does not directly affect availability but can indirectly disrupt services if exploited to deface content or spread malware. The requirement for authentication limits the attack surface but does not eliminate risk, especially in environments with large user bases or weak account controls.

To mitigate this vulnerability, organizations should implement strict input validation and sanitization on the replyContent parameter to disallow or neutralize any executable scripts or HTML tags. Employing robust output encoding (e.g., HTML entity encoding) before rendering user-generated content in browsers is critical to prevent script execution. Applying Content Security Policy (CSP) headers can reduce the impact by restricting the sources of executable scripts. Novel-Plus developers should prioritize releasing a security patch that addresses this issue by fixing the input handling and output rendering mechanisms. Organizations should also review user authentication and authorization controls to limit the number of users who can post comments or replies. Monitoring comment threads for suspicious or anomalous content can help detect exploitation attempts early. Educating users about the risks of clicking on suspicious links or interacting with unexpected content can reduce the likelihood of successful exploitation. Finally, organizations should maintain up-to-date backups and incident response plans to quickly recover from any attacks leveraging this vulnerability.