CVE-2025-40642

Vulnerability

Overview

CVE-2025-40642 is a reflected Cross-Site Scripting (XSS) vulnerability in WebWork, a PHP-based search engine script. The flaw exists in the /search endpoint, where the q and engine request parameters are not properly sanitized before being reflected back to the user. This allows an attacker to inject arbitrary HTML and JavaScript code into the response [1].

Exploitation

The vulnerability can be exploited remotely without authentication, but requires user interaction (CVSS v4.0 UI:A). An attacker can craft a malicious URL containing XSS payloads in the q or engine parameters and trick a victim into clicking it. No special network position is needed, as the attack is delivered via a standard HTTP request [1].

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, defacement, or theft of sensitive information displayed on the page. The CVSS v4.0 score of 5.1 (Medium) reflects the low direct impact on system confidentiality, integrity, and availability, but the potential for user-level compromise remains significant [1].

Mitigation

The vendor has released a fix for this vulnerability. Users are advised to update WebWork to the latest version to eliminate the XSS risk. No workarounds are documented in the advisory [1].