CVE-2025-60299 – An authenticated user in Novel-Plus 5.2.0 can i... (How to Fix)

Q: What is the severity of CVE-2025-60299?

CVE-2025-60299 has a CVSS score of 5.4 (MEDIUM). An authenticated user in Novel-Plus 5.2.0 can inject malicious JavaScript via the replyContent parameter when replying to book comments, leading to stored XSS. This allows execution of arbitrary code in other users' browsers when they view the comment thread, potentially compromising their sessions or data. The vulnerability affects all users of the application with access to comment features.

📋 TL;DR

An authenticated user in Novel-Plus 5.2.0 can inject malicious JavaScript via the replyContent parameter when replying to book comments, leading to stored XSS. This allows execution of arbitrary code in other users' browsers when they view the comment thread, potentially compromising their sessions or data. The vulnerability affects all users of the application with access to comment features.

💻 Affected Systems

Products:

Novel-Plus

Versions: 5.2.0

Operating Systems: Any OS running Novel-Plus

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability is present in the default configuration of Novel-Plus 5.2.0; no special settings are required for exploitation.

📦 What is this software?

Novel Plus by Xxyopen

View all CVEs affecting Novel Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal session cookies, perform account takeovers, deface pages, or redirect users to malicious sites, leading to full compromise of user accounts and data breaches.

🟠

Likely Case

Attackers hijack user sessions to access unauthorized information or perform actions on behalf of victims, such as posting malicious content or altering settings.

🟢

If Mitigated

With input validation and output encoding, the risk is reduced to minimal, preventing script execution and limiting impact to potential data corruption without code execution.

🌐 Internet-Facing: HIGH, as the application is likely exposed to the internet, allowing remote authenticated attackers to exploit it and affect multiple users.

🏢 Internal Only: MEDIUM, as exploitation requires authenticated access, limiting it to internal users but still posing a risk if insider threats exist.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and knowledge of the vulnerable endpoint, but payload injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 5.2.0 (check vendor for specific version)

Vendor Advisory: https://github.com/201206030/novel-plus

Restart Required: No

Instructions:

1. Update Novel-Plus to the latest version from the official GitHub repository. 2. Apply any security patches or commits addressing CVE-2025-60299. 3. Verify the fix by testing the /book/addCommentReply endpoint for XSS.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation to sanitize or reject malicious input in the replyContent parameter.

Not applicable; requires code changes in the application.

Content Security Policy (CSP)

all

Deploy a strict CSP to mitigate XSS by restricting script execution sources.

Add CSP headers in web server configuration, e.g., Content-Security-Policy: default-src 'self'.

🧯 If You Can't Patch

Disable the /book/addCommentReply endpoint or restrict access to trusted users only.
Implement web application firewall (WAF) rules to block XSS payloads in request parameters.

🔍 How to Verify

Check if Vulnerable:

Test the /book/addCommentReply endpoint by injecting a simple XSS payload (e.g., <script>alert('XSS')</script>) as an authenticated user and check if it executes when viewing comments.

Check Version:

Check the Novel-Plus version in the application's admin panel or configuration files.

Verify Fix Applied:

After patching, repeat the XSS test; the payload should be sanitized or blocked without execution.

📡 Detection & Monitoring

Log Indicators:

Log entries showing POST requests to /book/addCommentReply with suspicious script tags or JavaScript in parameters.

Network Indicators:

Unusual traffic patterns to the comment endpoint, especially from authenticated users with payload-like strings.

SIEM Query:

Example: source="web_logs" AND uri="/book/addCommentReply" AND (content CONTAINS "<script>" OR content CONTAINS "javascript:")

📊 Metadata

CVE ID: CVE-2025-60299

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (16.2th percentile)

Published: October 8, 2025

Last Updated: October 10, 2025

🔗 References

https://github.com/201206030/novel-plus Product
https://notes.sjtu.edu.cn/s/OtnFaGbI4 Exploit,Third Party Advisory
https://notes.sjtu.edu.cn/s/OtnFaGbI4 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60299, you might also want to check these: