CVE-2025-60932 identifies multiple stored cross-site scripting (XSS) vulnerabilities in the Current Goals function of HR Performance Solutions Performance Pro version 3.19.17. Stored XSS occurs when malicious input is saved by the application and later rendered in users’ browsers without proper sanitization or encoding. In this case, attackers can craft payloads injected into various parameters such as Goal Name, Goal Notes, Action Step Name, Action Step Description, Note Name, and Goal Description. When other users or administrators view these fields, the malicious scripts execute in their browsers. This can lead to session hijacking, theft of cookies or credentials, unauthorized actions performed on behalf of the victim, or delivery of further malware. The vulnerability affects a critical HR management application that likely contains sensitive employee and organizational data. The vendor has addressed these vulnerabilities in the patched release PP-Release-6.3.2.0. No CVSS score is currently assigned, and no public exploits have been reported. The vulnerability was reserved in late September 2025 and published in October 2025, indicating recent discovery and disclosure.

For European organizations, exploitation of these stored XSS vulnerabilities could result in significant confidentiality breaches, including exposure of sensitive HR data such as employee goals, performance notes, and personal information. Attackers could leverage the vulnerability to hijack sessions of HR personnel or managers, potentially manipulating performance records or gaining further access to internal systems. This could damage organizational reputation, lead to regulatory non-compliance (e.g., GDPR violations), and cause operational disruptions. Since HR Performance Solutions Performance Pro is a specialized HR management tool, organizations relying on it for performance management are at direct risk. The impact is heightened in sectors with strict data privacy requirements or where insider threat risks are critical. Although no known exploits exist yet, the stored nature of the XSS and multiple injection points increase the likelihood of exploitation attempts once public details are widely known.

European organizations using Performance Pro v3.19.17 should urgently upgrade to the patched version PP-Release-6.3.2.0 to remediate these vulnerabilities. In addition, organizations should implement strict input validation and output encoding on all user-supplied data fields related to goals and action steps to prevent injection of malicious scripts. Web application firewalls (WAFs) can be configured to detect and block common XSS payloads as an interim protective measure. Security teams should conduct thorough code reviews and penetration testing focused on stored XSS vectors within HR applications. User awareness training for HR staff to recognize suspicious content and avoid clicking on unexpected links or scripts can reduce risk. Monitoring logs for unusual activity or repeated failed attempts to inject scripts can help detect exploitation attempts early. Finally, organizations should review access controls to limit who can create or edit goal-related content to trusted users only.