CVE-2025-9980 is a stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79 affecting OpenSolution's QuickCMS version 6.8. The vulnerability exists in the page editor functionality (pages-form), where an attacker with administrative privileges can inject arbitrary HTML and JavaScript code into website pages. This injected code is stored persistently and executed in the context of any user visiting the affected pages, potentially leading to session hijacking, defacement, or further exploitation of users' browsers. Although the default configuration restricts admin users from adding JavaScript, this vulnerability circumvents that limitation, allowing malicious script injection. The vendor was notified early but has not disclosed detailed vulnerability information or provided patches, and other versions besides 6.8 have not been tested but may also be vulnerable. The CVSS 4.0 base score is 4.8 (medium severity), reflecting that exploitation requires network access, low attack complexity, no authentication beyond admin privileges, and no user interaction. The vulnerability impacts confidentiality and integrity but not availability. No known exploits are currently reported in the wild. The vulnerability's scope is limited to systems running QuickCMS 6.8 with admin users having access to the page editor. This vulnerability highlights the importance of secure input handling and privilege management in CMS platforms.

For European organizations using QuickCMS 6.8, this vulnerability could lead to unauthorized script execution on their websites, compromising the confidentiality and integrity of both the website content and the data of visitors interacting with the site. Attackers with admin privileges could deface websites, steal session cookies, perform phishing attacks, or conduct further attacks on users. This is particularly impactful for organizations relying on QuickCMS for public-facing websites, including government agencies, educational institutions, and businesses. The stored nature of the XSS means that malicious scripts persist until removed, increasing exposure. While the vulnerability requires admin-level access, insider threats or compromised admin accounts could be leveraged. The absence of vendor patches increases risk exposure. The impact on availability is minimal, but reputational damage and data breaches could be significant. Organizations may face regulatory consequences under GDPR if personal data is compromised via this vulnerability.

1. Restrict administrative privileges strictly to trusted personnel and enforce strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of compromised admin accounts. 2. Implement rigorous input validation and output encoding on the page editor inputs to prevent injection of malicious scripts, ideally using a whitelist approach for allowed HTML tags and attributes. 3. Conduct regular audits of content created or edited via the CMS to detect suspicious or unauthorized script injections. 4. Monitor web server logs and application logs for unusual activity related to page edits or admin actions. 5. Isolate the CMS environment and apply network segmentation to limit exposure if compromised. 6. Engage with the vendor or community to obtain patches or updates as soon as they become available; consider upgrading to newer versions after thorough testing. 7. Employ Content Security Policy (CSP) headers on websites to restrict the execution of unauthorized scripts. 8. Educate administrators on secure content management practices and the risks of XSS. 9. If feasible, consider migrating to alternative CMS platforms with better security track records until this vulnerability is resolved.