CVE-2025-66686 is a stored Cross-Site Scripting (XSS) vulnerability identified in Perch CMS version 3.2. This vulnerability arises because the 'Help button url' setting in the administrative panel improperly sanitizes input, allowing an authenticated attacker with administrative privileges to inject arbitrary JavaScript code. The malicious payload is stored persistently and executed whenever any authenticated user clicks the Help button within the CMS interface. This execution context can be leveraged to hijack user sessions, disclose sensitive information, escalate privileges, or perform unauthorized administrative actions, effectively compromising the confidentiality, integrity, and availability of the CMS environment. The attack requires the attacker to have administrative access, which limits the initial attack vector but increases the severity since the attacker already controls a privileged account. No CVSS score has been assigned yet, and no patches or known exploits are currently reported. The vulnerability highlights the importance of input validation and output encoding in web applications, especially in administrative interfaces. Since Perch CMS is used for managing website content, exploitation could lead to widespread compromise of web assets and user data. The stored nature of the XSS means the malicious script persists until remediated, increasing the window of exposure. Organizations relying on Perch CMS 3.2 should prioritize detection and mitigation to prevent exploitation.

For European organizations, this vulnerability poses significant risks, particularly for those using Perch CMS version 3.2 to manage their web content. Successful exploitation can lead to session hijacking, allowing attackers to impersonate legitimate users and gain unauthorized access to sensitive data or administrative functions. Information disclosure could expose confidential business or customer data, damaging reputation and violating data protection regulations such as GDPR. Privilege escalation and unauthorized administrative actions could result in website defacement, insertion of malicious content, or further compromise of internal networks. The impact extends to availability if attackers disrupt CMS operations or lock out legitimate administrators. Given the administrative access requirement, insider threats or compromised admin credentials could facilitate exploitation. The lack of patches increases exposure time, and the stored nature of the XSS means multiple users can be affected once the payload is injected. European organizations with public-facing websites or critical digital services managed via Perch CMS are particularly vulnerable, potentially affecting customer trust and regulatory compliance.

1. Restrict administrative access to trusted personnel only and enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of credential compromise. 2. Monitor administrative activities and audit logs for unusual changes to the 'Help button url' setting or other configuration parameters. 3. Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts within the CMS interface. 4. Educate administrators about the risks of stored XSS and the importance of cautious input handling. 5. Regularly review and sanitize all inputs in the CMS, especially those that are stored and rendered in the admin panel. 6. Prepare for prompt application of security patches once Perch CMS releases a fix for this vulnerability. 7. Consider isolating the CMS administrative interface behind VPNs or IP whitelisting to reduce exposure. 8. Conduct penetration testing and vulnerability scanning focused on the CMS to detect similar issues proactively.