CVE-2025-65956 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79 affecting the Formwork CMS, a flat file-based content management system. The vulnerability exists in versions prior to 2.2.0 due to improper neutralization of input in the blog tag field, where unsanitized user input is inserted directly into web pages generated by the CMS. This flaw allows an attacker with valid credentials to inject malicious JavaScript code that is persistently stored and executed whenever an authorized user accesses or edits the compromised blog post. The attack vector requires network access and privileges (authenticated user), with user interaction needed to trigger the script execution. The vulnerability impacts confidentiality by potentially exposing sensitive session or credential data, integrity by enabling unauthorized script execution that could alter content or settings, and availability by possibly facilitating denial-of-service conditions through malicious scripts. The vulnerability affects privileged administrative workflows, increasing the risk of lateral movement or privilege escalation within the CMS environment. Although no known exploits are reported in the wild, the issue is significant due to the persistence and targeting of administrative users. The vendor has addressed the vulnerability in Formwork CMS version 2.2.0 by implementing proper input sanitization and output encoding to neutralize malicious scripts in the blog tag field. The CVSS 3.1 base score of 6.5 reflects a medium severity level, with network attack vector, low attack complexity, required privileges, user interaction, and a scope change due to impact on other components or users.

For European organizations using Formwork CMS, this vulnerability poses a risk primarily to administrative users who manage web content. Successful exploitation could lead to session hijacking, credential theft, or unauthorized actions performed under the context of privileged users, potentially compromising the CMS and associated web assets. This can result in defacement, data leakage, or further compromise of internal systems if attackers leverage the CMS as a pivot point. The persistence of the injected script increases the window of exposure, making detection and remediation more challenging. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, government) face increased regulatory and reputational risks if such an attack leads to data breaches. Additionally, the vulnerability could be leveraged for supply chain attacks if the CMS is used to publish content consumed by other systems or users. Given the requirement for authenticated access, insider threats or compromised credentials are the most likely exploitation vectors, emphasizing the need for strong access controls and monitoring.

1. Immediately upgrade all instances of Formwork CMS to version 2.2.0 or later, where the vulnerability is patched. 2. Implement strict input validation and output encoding on all user-supplied data fields, especially those that affect web page generation, to prevent injection of malicious scripts. 3. Enforce the principle of least privilege by limiting CMS user permissions to only those necessary for their roles, reducing the risk of exploitation by compromised accounts. 4. Deploy multi-factor authentication (MFA) for all CMS users to mitigate risks from credential theft. 5. Conduct regular audits and monitoring of CMS logs to detect unusual activities, such as unexpected edits or accesses to blog posts. 6. Use Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers accessing the CMS. 7. Educate administrative users about phishing and social engineering risks that could lead to credential compromise. 8. Consider implementing web application firewalls (WAF) with rules to detect and block XSS payloads targeting the CMS. 9. Regularly review and sanitize existing blog posts and tags to identify and remove any malicious scripts that may have been injected prior to patching. 10. Maintain an incident response plan that includes procedures for handling CMS compromises and XSS incidents.