CVE-2025-60445 is a stored Cross-Site Scripting (XSS) vulnerability identified in XunRuiCMS version 4.7.1. The vulnerability arises from insufficient validation of SVG file uploads within the dayrui/Fcms/Library/Upload.php component. Specifically, the system fails to properly sanitize or validate the contents of uploaded SVG files, which are XML-based vector images capable of embedding JavaScript code. An attacker can exploit this by uploading a crafted SVG file containing malicious JavaScript payloads. When the uploaded SVG file is subsequently viewed or rendered by a user or administrator in the CMS interface, the embedded script executes in the context of the victim's browser. This stored XSS can lead to session hijacking, unauthorized actions on behalf of the user, or further exploitation such as pivoting into internal networks. The vulnerability is notable because it requires no authentication (PR:N) and has a low attack complexity (AC:L), but it does require user interaction (UI:R) in the form of viewing the malicious SVG. The scope is changed (S:C), indicating that the vulnerability can affect resources beyond the initially vulnerable component, potentially impacting other users or systems relying on the CMS. The CVSS v3.1 base score is 6.1, categorizing it as a medium severity issue. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

For European organizations using XunRuiCMS version 4.7.1, this vulnerability poses a significant risk to the confidentiality and integrity of user sessions and data. Successful exploitation could allow attackers to steal session cookies, perform unauthorized actions within the CMS, or deliver secondary payloads such as malware. This can lead to defacement, data leakage, or compromise of backend systems connected to the CMS. Since the vulnerability is stored XSS, it can affect multiple users who view the malicious SVG, increasing the attack surface. The lack of authentication requirement means external attackers can upload malicious files if upload functionality is publicly accessible or insufficiently protected. Given the widespread use of CMS platforms in European public sector, e-commerce, and media organizations, exploitation could disrupt business operations, damage reputations, and lead to regulatory non-compliance under GDPR if personal data is exposed. The medium severity score reflects moderate impact, but the potential for chained attacks or social engineering increases risk. The absence of known exploits currently provides a window for proactive mitigation.

European organizations should immediately audit their use of XunRuiCMS and identify any instances running version 4.7.1. Until an official patch is released, organizations should implement strict file upload validation controls, specifically restricting SVG uploads or sanitizing SVG content to remove embedded scripts. Employing Content Security Policy (CSP) headers can help mitigate the impact of XSS by restricting script execution sources. Additionally, review and tighten permissions on upload functionalities to ensure only authenticated and authorized users can upload files. Monitoring logs for unusual upload activity or access to SVG files can provide early detection of exploitation attempts. User awareness training should emphasize caution when interacting with uploaded content. Finally, organizations should subscribe to vendor advisories and CVE databases to apply patches promptly once available.