CVE-2025-50058

A stored cross-site scripting (XSS) vulnerability exists in the RSDirectory! component for Joomla, affecting versions 1.0.0 through 2.2.8. The issue resides in the review reply feature, where user-supplied input is not properly sanitized before being stored. This allows an attacker to inject arbitrary web script or HTML that will be executed in the context of other users viewing the review [1].

The vulnerability can be exploited by remote authenticated users who have the ability to post review replies. No elevated privileges beyond standard user authentication are required to inject malicious content. The attack vector is network-based, and exploitation does not require any special user interaction beyond the victim viewing the compromised review [1].

Successful exploitation enables the attacker to execute arbitrary JavaScript in the browser of any user who accesses the affected review reply. This can lead to session hijacking, defacement, phishing attacks, or further compromise of the Joomla site. Given that social engineering is often required to lure victims to the malicious content, the severity is assessed as Medium [1].

The vendor, RSJoomla, has addressed this vulnerability in version 2.3.4 of RSDirectory!, as indicated by their changelog. Users are strongly advised to upgrade to the latest version to mitigate the risk. No workaround is available if the component cannot be updated [1].