Cybersecurity Vulnerabilities

SOPlanning Under Attack: Stored XSS Vulnerability in Public Holidays (CVE-2025-62731)

November 20, 2025 - By 

Overview

A Stored Cross-Site Scripting (XSS) vulnerability has been identified in SOPlanning, a popular scheduling software. This vulnerability, tracked as CVE-2025-62731, affects the /feries endpoint, which is related to the public holidays feature. A malicious attacker with appropriate privileges can inject arbitrary HTML and JavaScript code into the website, posing a significant security risk. This code is then executed when other users, including administrators, access pages that display the affected data. The vulnerability has been fixed in SOPlanning version 1.55.

Technical Details

The vulnerability lies in the insufficient sanitization of user-supplied input within the public holidays feature. Specifically, when adding or modifying public holiday entries through the /feries endpoint, an attacker can include malicious HTML or JavaScript code. This code is then stored in the SOPlanning database and rendered without proper encoding or escaping when the holiday information is displayed on various pages. As this is a Stored XSS vulnerability, the malicious payload is persistently present and affects all users who interact with the compromised data.

CVSS Analysis

Due to the nature of the reported information, no CVSS score is available at this time. However, Stored XSS vulnerabilities generally have a moderate to high severity depending on the context and privileges of the attacker. A high impact is possible if an administrator account is compromised.

Possible Impact

Successful exploitation of this Stored XSS vulnerability can have several serious consequences:

  • Account Takeover: An attacker could steal user session cookies, allowing them to impersonate legitimate users, including administrators.
  • Data Theft: Malicious JavaScript code could be used to exfiltrate sensitive data stored within the SOPlanning application or accessible through the user’s browser.
  • Website Defacement: The attacker could modify the appearance of the SOPlanning website, displaying misleading information or malicious content.
  • Malware Distribution: The injected code could redirect users to malicious websites or trigger the download of malware.

Mitigation and Patch Steps

The vulnerability has been addressed in SOPlanning version 1.55. It is strongly recommended that all users of SOPlanning upgrade to this version as soon as possible. Follow these steps to mitigate the risk:

  1. Upgrade to Version 1.55: Download and install the latest version of SOPlanning from the official website.
  2. Review Public Holiday Data: After upgrading, carefully review existing public holiday entries for any suspicious or unexpected content. Remove or correct any malicious data.
  3. Principle of Least Privilege: Ensure that users only have the necessary permissions to access and modify public holiday data. Restrict access to the /feries endpoint to trusted administrators.

References

CERT.PL Advisory
SOPlanning Official Website

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *