CVE-2025-25823

CVE-2025-25823, published on 2025-02-26, is a cross-site scripting (XSS) vulnerability classified under CWE-79 that affects Emlog Pro version 2.5.4. The issue occurs in the article header functionality at the /admin/article.php endpoint, where attackers can inject a crafted payload to execute arbitrary web scripts or HTML. It carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L), reflecting high impacts on confidentiality and integrity with low availability impact.

Attackers can exploit this vulnerability by injecting malicious payloads into the article header through the affected admin interface. Exploitation requires local access vector with low attack complexity, no privileges, and user interaction, enabling execution of arbitrary scripts in the context of the victim's browser. This can lead to outcomes such as session hijacking, data theft, or unauthorized actions on the site.

Advisories and further details on mitigation are available in the provided references: http://emlogpro.com, https://github.com/Ka7arotto/emlog/blob/main/xss-3.md, and https://www.emlog.net/. Security practitioners should review these sources for recommended patches or workarounds.