CVE-2025-65956: 
PHP vulnerability analysis and mitigation

A stored cross-site scripting (XSS) vulnerability was discovered in Formwork CMS affecting versions 2.1.5 and below, identified as CVE-2025-65956. The vulnerability allows attackers to inject malicious scripts through blog tags that persist in the system and execute when users access or edit affected blog posts. The issue was discovered in November 2025 and has been patched in version 2.2.0 (GitHub Advisory).

The vulnerability stems from improper sanitization of data inserted into blog tags before saving and rendering them in the edit blog interface. The issue is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-80 (Improper Neutralization of Script-Related HTML Tags). The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Moderate), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L, indicating network attack vector, low attack complexity, and required user interaction (GitHub Advisory).

When exploited, the vulnerability allows attackers to create persistent XSS attacks that execute whenever users with CMS credentials access or edit affected blog posts. Once a malicious tag is inserted, it becomes impossible to remove, and any attempt to remove the tag triggers the XSS payload again. Furthermore, the vulnerability creates an interface lockout condition where managing standard tags becomes impossible due to continuous script execution on attempted modifications (GitHub Advisory).

The vulnerability has been patched in Formwork CMS version 2.2.0. The fix includes replacing innerHTML with innerText throughout the codebase and introducing proper HTML escaping via a new escapeHtml utility function. Users are advised to upgrade to version 2.2.0 or later to protect against this vulnerability (GitHub Pull Request).