cbcvebase.
CVE-2025-60378
published 2025-10-10

CVE-2025-60378: Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content…

PriorityP355high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
1.06%
60.5th percentile
Stored HTML injection in RISE Ultimate Project Manager & CRM allows authenticated users to inject arbitrary HTML into invoices and messages. Injected content renders in emails, PDFs, and messaging/chat modules sent to clients or team members, enabling phishing, credential theft, and business email compromise. Automated recurring invoices and messaging amplify the risk by distributing malicious content to multiple recipients.

Affected

1 ranges
VendorProductVersion rangeFixed in
fairsketchrise_ultimate_project_manager< 3.9.43.9.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.