CVE-2025-63645 is a stored cross-site scripting (XSS) vulnerability identified in pH7Software's pH7-Social-Dating-CMS version 17.9.1, specifically within its message system. The vulnerability arises because the application fails to properly sanitize and encode message content submitted by users before storing it on the server. When another user views their Inbox, the malicious script embedded in the message content executes in the context of the victim's browser. This stored XSS attack vector allows an attacker to execute arbitrary JavaScript code, potentially leading to session hijacking, theft of sensitive information, or unauthorized actions performed on behalf of the victim. The vulnerability requires the attacker to have at least limited privileges to send messages and the victim to interact by opening the malicious message, which involves user interaction. The CVSS 3.1 base score is 5.4, indicating a medium severity level, with the vector indicating network attack vector, low attack complexity, privileges required, user interaction required, and a scope change. No patches or known exploits are currently reported, but the vulnerability represents a significant risk for platforms relying on this CMS for user communications. The root cause is improper input validation and lack of context-aware output encoding, a classic CWE-79 issue. Without remediation, attackers can leverage this flaw to compromise user accounts and trust in the platform.

For European organizations operating social or dating platforms using pH7-Social-Dating-CMS, this vulnerability could lead to unauthorized script execution in users' browsers, resulting in session hijacking, credential theft, or phishing attacks. The confidentiality and integrity of user data are at risk, as attackers can steal cookies or tokens and manipulate user interactions. Although availability is not directly impacted, the reputational damage and loss of user trust could be significant, especially for platforms handling sensitive personal information. Regulatory compliance risks under GDPR may arise if personal data is compromised due to this vulnerability. The medium CVSS score reflects moderate risk, but the actual impact depends on the scale of platform usage and the sensitivity of the data handled. Attackers exploiting this flaw could target high-profile users or leverage the platform for broader social engineering campaigns within Europe.

To mitigate CVE-2025-63645, organizations should immediately implement proper input validation on all message content submitted by users, ensuring that potentially dangerous characters or scripts are sanitized before storage. Additionally, context-aware output encoding must be applied when rendering messages in the Inbox to prevent script execution. Employing security libraries or frameworks that automatically handle XSS prevention is recommended. Restricting the types of content allowed in messages (e.g., disallowing HTML or JavaScript) can reduce risk. Monitoring and logging message traffic for suspicious payloads or anomalous user behavior can help detect exploitation attempts. Organizations should also educate users about the risks of interacting with unexpected or suspicious messages. Finally, applying security headers such as Content Security Policy (CSP) can provide an additional layer of defense against XSS attacks. Since no official patch is currently available, these compensating controls are critical until an update is released.