CVE-2025-62118 identifies a Stored Cross-Site Scripting (XSS) vulnerability in the kcseopro AdWords Conversion Tracking Code, a tool used to track advertising conversions on websites. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), which allows attackers to inject malicious JavaScript code that is stored persistently and executed in the context of users visiting the affected web pages. This can lead to unauthorized actions such as session hijacking, cookie theft, defacement, or redirection to malicious sites. The vulnerability affects all versions up to 1.0 of the product, with no patches currently available. The CVSS 3.1 base score is 6.5, indicating a medium severity level, with attack vector being network-based (AV:N), low attack complexity (AC:L), requiring privileges (PR:L), and user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability can affect components beyond the initially vulnerable component. The impact on confidentiality, integrity, and availability is low to medium. No known exploits have been reported in the wild yet. The vulnerability was reserved in October 2025 and published at the end of 2025. The kcseopro AdWords Conversion Tracking Code is likely integrated into websites that rely on Google Ads conversion tracking, making it relevant for organizations involved in digital marketing and e-commerce.

For European organizations, this vulnerability poses risks primarily to web applications that integrate the kcseopro AdWords Conversion Tracking Code for tracking advertising performance. Exploitation could allow attackers to execute malicious scripts in the browsers of site visitors, potentially leading to theft of sensitive information such as session tokens, personal data, or credentials. This can result in account compromise, unauthorized transactions, or reputational damage. Additionally, attackers could manipulate website content or redirect users to phishing or malware sites, impacting user trust and compliance with data protection regulations like GDPR. The medium severity and requirement for some privileges and user interaction reduce the likelihood of widespread automated exploitation, but targeted attacks against high-value organizations remain a concern. The lack of patches increases exposure until mitigations are implemented. Given the importance of digital advertising and e-commerce in Europe, especially in countries with large online markets, the impact could be significant if exploited.

Organizations should immediately audit their web properties to identify usage of the kcseopro AdWords Conversion Tracking Code. Until an official patch is released, implement strict input validation and output encoding on all user-supplied data that interacts with the tracking code to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. Monitor web application logs for unusual activity or injection attempts. Limit privileges of accounts that can modify tracking code configurations to reduce attack surface. Educate developers and administrators about secure coding practices related to input handling. Once patches or updates become available from the vendor, prioritize their deployment. Additionally, consider using web application firewalls (WAFs) with rules designed to detect and block XSS payloads targeting this vulnerability. Regularly review and update security policies to ensure compliance with data protection laws.