CVE-2025-62920 identifies a stored Cross-site Scripting (XSS) vulnerability in the webnique USERCENTRICS Consent Management Platform (CMP), specifically affecting versions up to and including 1.0.9. The vulnerability stems from improper neutralization of user-supplied input during the generation of web pages, which allows attackers to inject malicious scripts that are persistently stored within the application. When other users or administrators access the affected pages, the malicious scripts execute in their browsers, potentially leading to unauthorized actions such as session hijacking, theft of sensitive information, or manipulation of consent data. The vulnerability requires an attacker to have limited privileges (PR:L) and user interaction (UI:R) to exploit, indicating that the attacker must be able to submit crafted input and lure a user to interact with the malicious content. The CVSS v3.1 base score is 5.4, reflecting medium severity, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), partial confidentiality and integrity impact (C:L/I:L), no availability impact (A:N), and scope change (S:C). No public exploits have been reported yet, and no patches or mitigation links are currently provided. The CMP is widely used in Europe to manage user consent in compliance with GDPR and other privacy regulations, making this vulnerability particularly relevant for organizations handling personal data. The stored nature of the XSS increases risk as malicious payloads persist and affect multiple users over time.

For European organizations, this vulnerability poses a risk to the confidentiality and integrity of user consent data and potentially other sensitive information processed by the USERCENTRICS CMP. Exploitation could allow attackers to execute arbitrary scripts in the context of the affected web application, leading to session hijacking, unauthorized actions, or disclosure of personal data. Given the CMP's role in managing consent under GDPR, any compromise could result in regulatory non-compliance, reputational damage, and legal consequences. The medium severity score reflects that while availability is not impacted, the partial loss of confidentiality and integrity can have significant operational and compliance implications. Organizations relying on USERCENTRICS CMP for consent management should consider the risk of targeted attacks, especially in sectors with high privacy requirements such as finance, healthcare, and e-commerce. The lack of known exploits suggests a window of opportunity to remediate before widespread abuse occurs.

1. Immediately assess the deployment of USERCENTRICS CMP versions and identify instances running version 1.0.9 or earlier. 2. Monitor vendor communications and security advisories for official patches or updates addressing CVE-2025-62920 and apply them promptly once available. 3. Implement input validation and output encoding on all user-supplied data fields within the CMP to neutralize potentially malicious scripts. 4. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the CMP interface. 5. Limit user privileges to the minimum necessary to reduce the risk of malicious input submission. 6. Conduct regular security audits and penetration testing focused on XSS vulnerabilities in consent management platforms. 7. Educate administrators and users about the risks of interacting with suspicious links or inputs within the CMP environment. 8. Consider deploying Web Application Firewalls (WAFs) with rules tuned to detect and block XSS payloads targeting the CMP. 9. Maintain comprehensive logging and monitoring to detect anomalous activities that may indicate exploitation attempts.