CVE-2025-63645 is a stored cross-site scripting vulnerability identified in pH7Software's pH7-Social-Dating-CMS version 17.9.1, specifically within the application's message system. The flaw occurs because the application fails to properly sanitize and contextually encode message content submitted by users before persisting it on the server. When a recipient views their Inbox, the malicious script embedded in the message executes in their browser context. This type of vulnerability allows attackers to perform actions such as stealing session cookies, executing arbitrary JavaScript, redirecting users to malicious sites, or performing actions on behalf of the victim user. The vulnerability does not require elevated privileges or complex exploitation techniques beyond sending a crafted message to a target user, making it relatively easy to exploit in environments where users communicate via the vulnerable CMS. Although no public exploits are currently known, the risk remains significant due to the nature of stored XSS attacks and their impact on user confidentiality and integrity. The lack of a CVSS score indicates the need for a manual severity assessment. The vulnerability affects the confidentiality and integrity of user data and sessions, with potential downstream effects on availability if attackers leverage the vulnerability to disrupt service or propagate malware. The scope is limited to installations of pH7-Social-Dating-CMS 17.9.1, but given the popularity of dating platforms in Europe, the impact could be widespread. The vulnerability is published and reserved in late 2025, indicating recent discovery and disclosure.

For European organizations operating social or dating platforms using pH7-Social-Dating-CMS 17.9.1, this vulnerability poses a significant risk to user data confidentiality and platform integrity. Attackers can exploit the stored XSS to hijack user sessions, steal credentials, or perform unauthorized actions, potentially leading to account compromise and reputational damage. This is particularly critical for platforms handling sensitive personal data, including private communications and user profiles. The exploitation could also facilitate phishing or malware distribution campaigns targeting European users. Additionally, regulatory implications under GDPR may arise if personal data is compromised due to inadequate security controls. The impact extends to user trust and platform availability if attackers disrupt services or cause widespread account takeovers. Organizations may face legal and financial consequences if they fail to remediate the vulnerability promptly. The absence of known exploits currently reduces immediate risk but does not eliminate the threat, as attackers often develop exploits following public disclosure.

Organizations should prioritize patching pH7-Social-Dating-CMS to the latest version once a fix is released by the vendor. In the interim, implement strict input validation on all user-submitted message content to reject or sanitize potentially malicious scripts. Employ context-aware output encoding when rendering messages in the Inbox to prevent script execution. Deploy Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of any injected code. Conduct regular security audits and penetration testing focused on XSS vulnerabilities within messaging components. Educate users about the risks of clicking on suspicious messages and encourage reporting of unusual activity. Consider implementing multi-factor authentication (MFA) to reduce the impact of compromised credentials. Monitor logs for unusual message content or user behavior indicative of exploitation attempts. Finally, maintain an incident response plan tailored to web application attacks to respond swiftly if exploitation occurs.