CVE-2025-11682 HIGH

CVE-2025-11682: Stored Cross-Site Scripting in Perx Customer Engagement & Loyalty Platform

Vendor Perx Technologies
Product Customer Engagement & Loyalty Platform
Weakness CWE-79 · XSS
Published October 27, 2025
Last update October 27, 2025
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Adjacent
Attack complexity High
Privileges required High
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:A/AC:H/AT:N/PR:H/UI:A/VC:H/VI:H/VA:N/SC:H/SI:H/SA:L

What the vulnerability does

01Description

Stored cross-site scripting (XSS) vulnerability in the LMT Dashboard of the Perx Customer Engagement & Loyalty Platform allows an authenticated attacker to execute arbitrary JavaScript code in a victim's browser. The vulnerability is due to improper sanitization of SVG file uploads. An attacker can upload a malicious SVG file containing a script payload to a campaign. When another user views this image on the public LMT microsite, the script executes, which can lead to session hijacking, data theft, or other unauthorized actions.This issue affects Customer Engagement & Loyalty Platform before 4.617.4.

Key dates

02Disclosure timeline

October 27, 2025 CVE published
October 27, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-29510 Hereta ETH-IMC408M Stored XSS via Device Name CVE-2025-52710 WordPress File Manager Pro plugin <= 1.8.8 - Cross Site Scripting (XSS) Vulnerability CVE-2024-5073 Essential Addons for Elementor <= 5.9.21 - Authenticated (Contributor+) Stored Cross-Site Scripting via Twitter Feed CVE-2024-1571 WP Recipe Maker <= 9.2.1 - Authenticated Stored Cross-Site Scripting via Video Embed CVE-2023-50827 WordPress Accredible Certificates & Open Badges Plugin <= 1.4.8 is vulnerable to Cross Site Scripting (XSS)