CVE-2025-58658 is a medium-severity Stored Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting the Proof Factor LLC product "Proof Factor – Social Proof Notifications" up to version 1.0.5. Stored XSS occurs when malicious input is improperly neutralized and then persistently stored by the application, later executed in the context of users' browsers. In this case, the vulnerability arises from improper input sanitization during web page generation, allowing an attacker with high privileges and requiring user interaction to inject malicious scripts. The CVSS 3.1 vector (AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L) indicates that the attack can be performed remotely over the network with low attack complexity, but requires high privileges and user interaction. The vulnerability impacts confidentiality, integrity, and availability to a limited extent, as the attacker can execute scripts in the victim’s browser, potentially stealing session tokens, manipulating displayed content, or causing denial of service. The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no patches are yet linked. The vulnerability was published on September 22, 2025, and was reserved earlier that month.

For European organizations using Proof Factor – Social Proof Notifications, this vulnerability could lead to unauthorized script execution within the browsers of users interacting with the affected notifications. This could result in theft of sensitive session information, unauthorized actions performed on behalf of users, or defacement of web content, undermining user trust and potentially exposing personal data. Given the social proof notifications are often used in marketing and e-commerce contexts, exploitation could disrupt customer interactions, damage brand reputation, and lead to regulatory compliance issues under GDPR if personal data is compromised. The requirement for high privileges to inject the malicious payload limits the risk to internal threat actors or compromised administrative accounts, but the need for user interaction means phishing or social engineering could facilitate exploitation. The vulnerability’s impact on availability is limited but could be leveraged for denial-of-service conditions in the user interface. Overall, the threat is moderate but significant enough to warrant prompt attention in European environments where the product is deployed.

1. Immediate mitigation should include restricting administrative access to the Proof Factor plugin to trusted personnel only, minimizing the risk of malicious input injection. 2. Implement strict input validation and output encoding on all user-supplied data within the plugin, especially for fields that generate web page content. 3. Employ Content Security Policy (CSP) headers to reduce the impact of potential XSS by restricting script execution sources. 4. Monitor logs for unusual administrative activities that could indicate attempts to exploit this vulnerability. 5. Until an official patch is released, consider disabling or removing the Proof Factor – Social Proof Notifications plugin if feasible, especially in high-risk environments. 6. Educate users and administrators about the risks of phishing and social engineering that could facilitate exploitation. 7. Once available, promptly apply vendor patches or updates addressing this vulnerability. 8. Conduct regular security assessments and penetration testing focusing on web application input sanitization and stored XSS vectors.