CVE-2025-51965

OURPHP versions through 8.6.1 contain a cross-site scripting (XSS) vulnerability in the "Complete Profile" functionality under the "My User Center" page. The flaw is present in the 'Name' field, which is not properly sanitized before being rendered, allowing an attacker to inject arbitrary HTML or JavaScript code [1].

To exploit this, an attacker must first register a valid user account on the OURPHP-based site through the front-end interface. Once registered, they can navigate to their user center and fill in the profile name field with a malicious payload. The stored XSS will then execute in the context of any other user viewing the attacker's profile, such as an administrator or other community members [1].

Successful exploitation can lead to session hijacking, credential theft, or performing actions on behalf of the victim user. Since the attacker controls the injected script, they can exfiltrate sensitive data or perform unintended operations within the application [1].

At the time of disclosure, the vulnerability affects all versions of OURPHP up to and including 8.6.1. Users are advised to apply the official patch or upgrade once available. As a workaround, administrators may implement additional input validation for the name field or use a web application firewall to filter malicious strings [1].