CVE-2025-62899 identifies a stored Cross-site Scripting (XSS) vulnerability in the Photospace Responsive product developed by THRIVE - Web Design Gold Coast, affecting versions up to and including 2.2.0. Stored XSS occurs when malicious input is not properly sanitized or neutralized before being stored and subsequently rendered in web pages viewed by other users. In this case, improper neutralization during web page generation allows attackers to inject arbitrary JavaScript code that persists on the server and executes in the context of other users' browsers. This can lead to a range of attacks including session hijacking, credential theft, unauthorized actions on behalf of users, and distribution of malware. The vulnerability is particularly dangerous because it does not require user interaction beyond visiting a compromised page, and no authentication is needed to exploit it. Although no public exploits have been reported yet, the presence of this vulnerability in a web design tool used for responsive websites means that many sites could be affected if they use vulnerable versions. The lack of a CVSS score indicates that the vulnerability is newly published and not yet fully assessed, but the technical details confirm the risk. The vulnerability was reserved and published in late October 2025, with no patches currently linked, emphasizing the need for proactive mitigation. The threat affects the confidentiality, integrity, and availability of web applications and their users, making it a significant concern for organizations relying on Photospace Responsive for their web presence.

For European organizations, the impact of CVE-2025-62899 can be substantial. Stored XSS vulnerabilities enable attackers to execute arbitrary scripts in the browsers of users visiting affected websites, potentially leading to theft of sensitive information such as session cookies, personal data, or corporate credentials. This can facilitate further attacks like account takeover or lateral movement within networks. Additionally, attackers can deface websites, damaging brand reputation and customer trust. For organizations in regulated sectors such as finance, healthcare, or government, exploitation could result in non-compliance with data protection laws like GDPR, leading to legal and financial penalties. The vulnerability also threatens the availability of services if attackers inject scripts that disrupt normal operations or redirect users to malicious sites. Since Photospace Responsive is a web design tool, many small to medium enterprises and agencies across Europe might use it, increasing the attack surface. The lack of authentication requirement and ease of exploitation further elevate the risk, making it critical for European entities to assess their exposure and implement mitigations promptly.

To mitigate CVE-2025-62899 effectively, organizations should: 1) Immediately audit all web applications built with Photospace Responsive for signs of stored XSS, including unusual script injections or user complaints. 2) Implement strict input validation and sanitization on all user-supplied data before storage, using a whitelist approach where possible. 3) Apply context-aware output encoding (e.g., HTML entity encoding) when rendering user input in web pages to prevent script execution. 4) Monitor vendor communications closely for patches or updates addressing this vulnerability and apply them promptly once available. 5) Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 6) Conduct regular security testing, including automated scanning and manual code reviews focused on injection points. 7) Educate developers and content managers on secure coding practices related to XSS. 8) For critical or high-traffic sites, consider temporary workarounds such as disabling or restricting features that accept user input until patches are applied. 9) Use web application firewalls (WAFs) with updated rules to detect and block common XSS attack patterns targeting this vulnerability. These measures combined will reduce the risk of exploitation and protect users from malicious script execution.