CVE-2025-40992

CVE-2025-40992 is a stored cross-site scripting (XSS) vulnerability in Creativeitem Sociopro, a platform for private social networks. The flaw exists because the application fails to properly validate user input in the 'name' parameter when processing POST requests to the endpoint '/sociopro/profile/update_profile'. This allows an attacker to inject arbitrary JavaScript code that will be stored and executed in the context of other users' browsers [1].

Exploitation requires an authenticated user to send a specially crafted POST request to the profile update endpoint with malicious script in the 'name' field. The injected script is then stored and executed when other authenticated users view the affected profile or page. The attacker does not need special privileges beyond being a regular user, but the victim must be authenticated and interact with the stored content [1].

Successful exploitation allows the attacker to steal session cookies from authenticated users who view the malicious content. This can lead to account takeover or unauthorized access to sensitive information within the Sociopro instance. The CVSS v4.0 base score is 5.1 (Medium), with the vector indicating low privileges required and user interaction needed [1].

As of the advisory publication date (2025-10-02), no official patch or solution has been reported by the vendor. Users are advised to apply input validation and output encoding as a workaround, or consider restricting access to the profile update functionality until a fix is available [1].