CVE-2025-63644 is a stored cross-site scripting (XSS) vulnerability identified in pH7Software's pH7-Social-Dating-CMS version 17.9.1. The vulnerability resides in the user profile Description field, where malicious JavaScript code can be injected and stored persistently. When other users or administrators view the compromised profile, the injected script executes in their browsers within the context of the vulnerable web application. This can lead to session hijacking, theft of sensitive information such as cookies or credentials, and potentially the delivery of further malware or phishing attacks. Stored XSS is particularly dangerous because it does not require the attacker to trick users into clicking malicious links; the payload is served directly from the trusted site. The vulnerability does not require authentication, meaning any user or attacker can exploit it by submitting crafted input in the profile Description field. No CVSS score has been assigned yet, and no official patches or known exploits are currently documented. However, the vulnerability's presence in a social/dating CMS platform increases the risk due to the sensitive nature of user data and the trust users place in such platforms. The lack of input sanitization or output encoding in the Description field is the root cause, indicating a need for secure coding practices. Organizations using this CMS should prioritize remediation to prevent exploitation.

For European organizations operating social or dating platforms using pH7-Social-Dating-CMS, this vulnerability can lead to significant confidentiality breaches, including theft of user credentials and personal data. The integrity of user profiles can be compromised, allowing attackers to manipulate displayed information or inject malicious content. Availability impact is limited but could occur if attackers use the vulnerability to conduct further attacks that degrade service. Reputational damage is a critical concern, as users expect privacy and security on dating platforms. The vulnerability could also facilitate broader attacks such as phishing campaigns targeting users of the platform. Given the social nature of the CMS, the user base is likely to be diverse and sensitive, increasing regulatory risks under GDPR if personal data is exposed or mishandled. The absence of known exploits currently reduces immediate risk but does not diminish the potential impact if exploited. Organizations may face legal and compliance consequences if they fail to address this vulnerability promptly.

Organizations should immediately review and sanitize all user inputs in the profile Description field to prevent injection of malicious scripts. Implement strict output encoding to ensure any user-supplied content is safely rendered in browsers. Apply Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Monitor user profiles for suspicious content and remove any detected malicious scripts. Since no official patch is currently available, consider applying temporary workarounds such as disabling the Description field or restricting its content length and allowed characters. Educate users about the risks of interacting with suspicious profiles and encourage reporting of unusual behavior. Regularly audit and update the CMS and its components to incorporate security fixes once released. Employ web application firewalls (WAFs) with rules to detect and block XSS payloads targeting this vulnerability. Finally, prepare incident response plans to quickly address any exploitation attempts.