CVE-2025-40652 MEDIUM

CVE-2025-40652: Cross-Site Scripting (XSS) in CoverManager

Vendor Covermanager

Product CoverManager

Weakness CWE-79 · XSS

Published May 26, 2025

Last update May 27, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Stored Cross-Site Scripting (XSS) vulnerability in the CoverManager booking software. This allows an attacker to inject malicious scripts into the application, which are permanently stored on the server. The malicious scripts are executed in the browser of any user visiting the affected page without the user having to take any further action. This can allow the attacker to steal sensitive information, such as session cookies, login credentials, and perform actions on behalf of the affected user.

Key dates

02Disclosure timeline

May 26, 2025 CVE published

May 27, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-40652

Related vulnerabilities

04Related CVE

CVE-2022-2028 Cross-site Scripting (XSS) - Generic in kromitgmbh/titra CVE-2024-32138 WordPress Short URL plugin <= 1.6.8 - Cross Site Scripting (XSS) vulnerability CVE-2024-1762 NextScripts: Social Networks Auto-Poster <= 4.4.3 - Unauthenticated Stored Cross-Site Scripting via User Agent CVE-2025-46484 WordPress Image Hover Effects For WPBakery Page Builder plugin <= 2.0 - Cross Site Scripting (XSS) Vulnerability CVE-2025-48323 WordPress Advance Food Menu plugin <= 1.0 - Cross Site Scripting (XSS) vulnerability