CVE-2025-64047 identifies a Cross Site Scripting (XSS) vulnerability in OpenRapid RapidCMS version 1.3.1, located in the /user/user-move.php script. XSS vulnerabilities arise when user-supplied input is improperly sanitized or encoded before being rendered in a web page, allowing attackers to inject malicious scripts that execute in the context of other users' browsers. This particular vulnerability does not require authentication (PR:N) but does require user interaction (UI:R), such as clicking a crafted link or visiting a malicious page. The vulnerability affects confidentiality and integrity by potentially exposing session tokens, cookies, or enabling actions on behalf of the victim user, but it does not impact system availability. The CVSS vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required, user interaction required, and scope changed (S:C), meaning the vulnerability can affect resources beyond the vulnerable component. The CVSS base score is 6.1, categorizing it as medium severity. No patches or known exploits are currently available, but the presence of CWE-79 confirms this is a classic reflected or stored XSS issue. Organizations using RapidCMS 1.3.1 should audit the /user/user-move.php endpoint for input validation flaws and implement proper output encoding to prevent script injection. Monitoring for suspicious activity and educating users about phishing risks can reduce exploitation likelihood.

For European organizations, exploitation of this XSS vulnerability could lead to unauthorized disclosure of sensitive information such as session cookies, enabling account hijacking or privilege escalation within the CMS environment. Attackers could also perform actions on behalf of authenticated users, potentially modifying user data or configurations, undermining data integrity. While availability is not directly impacted, the reputational damage and potential regulatory consequences under GDPR for data breaches could be significant. Organizations relying on RapidCMS for public-facing websites or internal portals are at risk of targeted phishing campaigns leveraging this vulnerability. The medium severity score reflects moderate risk, but the ease of exploitation without authentication and the scope change increase the threat level. The lack of known exploits currently provides a window for proactive mitigation before widespread attacks occur.

1. Immediately audit and sanitize all user inputs on the /user/user-move.php endpoint, ensuring that any data reflected back to users is properly encoded using context-appropriate output encoding (e.g., HTML entity encoding). 2. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. 3. Educate users and administrators about the risks of clicking untrusted links, especially those related to user management functions. 4. Monitor web server logs and application logs for unusual requests targeting /user/user-move.php or attempts to inject scripts. 5. If possible, restrict access to the vulnerable endpoint to authenticated and authorized users only, reducing the attack surface. 6. Engage with the vendor or community to obtain or develop patches addressing this vulnerability. 7. Employ web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting this endpoint. 8. Regularly update and patch CMS components once fixes become available to prevent exploitation.