The Drupal 7 Term Reference Tree module contains two stored XSS vectors that allow an attacker to inject and execute arbitrary HTML or JavaScript whenever a field that uses the widget or formatter is rendered. The first vector exploits the lack of sanitization in token display templates when the Token module is enabled and an attacker controls token output such as a term description, while the second vector originates from unsanitized taxonomy term labels, permitting a user with permission to create or edit terms to embed scripts that execute when any form containing the widget is viewed. Both vectors are cross‑site scripting weaknesses (CWE‑79) that can compromise the confidentiality and integrity of a user's session without providing direct access to the server.

Affected systems include deployments of Drupal 7 that employ the Term Reference Tree module at any 7.x‑1.x release through version 7.x‑1.11. The module is part of the Drupal ecosystem and is identified by the CNA as Drupal:Term Reference Tree. Administrators of sites that use this widget and allow token display templates or editing of taxonomy terms to be performed by ordinary users are most at risk.

The vulnerability has a CVSS score of 5.1, indicating moderate severity, and is not currently listed in CISA's KEV catalog. While an EPSS score is not available, the likelihood of exploitation cannot be quantified precisely; however, the attack requires only the ability to create or edit terms, a capability typically granted to many site editors. Exploitation can be achieved simply by inserting malicious markup into a term description or label, which renders unchanged when the widget is displayed. Once executed, the payload runs in the context of any user who views the affected page, potentially leading to session hijacking, defacement, or phishing attacks.