DNN Software has issued a security advisory warning of a critical stored cross-site scripting (XSS) vulnerability in its Prompt module, tracked as CVE-2025-59545 with a CVSS score of 9.1. DNN (formerly DotNetNuke) is one of the most widely used open-source content management systems (CMS) in the Microsoft ecosystem, powering over 750,000 websites globally.
The flaw lies in how the Prompt module executes certain commands and treats their output. While DNN sanitizes most user-submitted data for safe display, the Prompt module can process malicious input in ways that bypass these defenses.
As the advisory explains, “The Prompt module allows execution of commands that can return raw HTML. Malicious input, even if sanitized for display elsewhere, can be executed when processed through certain commands, leading to potential script execution (XSS).”
This design flaw opens the door for attackers to inject embedded scripts or harmful markup into DNN’s content. If that data is later returned via a Prompt command, it will execute directly in the browser.
The report warns, “Simply executing a specific command through the Prompt module could render this untrusted data and cause unintended script execution in the browser specially in the context of a super-user.”
Such exploitation could allow adversaries to hijack administrator sessions, steal sensitive data, or alter site configurations — a particularly dangerous outcome for enterprise, government, and commercial portals built on DNN.
With more than 8 million downloads and a community of 1 million members, DNN remains a leading CMS platform across industries. The advisory notes that versions prior to 10.1.0 are vulnerable, leaving a significant install base potentially exposed.
Given its high CVSS score and the privileged execution context (super-user), exploitation could provide attackers with complete administrative control over affected sites.
DNN has released version 10.1.0 to patch this flaw. All users are strongly urged to update immediately. Organizations unable to upgrade immediately should restrict access to the Prompt module and monitor administrative activity logs for signs of suspicious command execution.
- Critical Flaws in AI Browse Agents: Exposed to Credential Theft and Hijacking
- Apache HTTP Server Hit by Triple Vulnerabilities – Users Urged to Update
- Google’s Agentic AI Security Team Develops Framework to Combat Prompt Injection Attacks
- A New AI Frontier: Claude’s Chrome Extension Opens the Door to New Dangers
- WordPress Releases Urgent Security Patch – Update Immediately!
