CVE-2025-58658

Vulnerability

Overview

The Proof Factor – Social Proof Notifications plugin for WordPress (versions up to and including 1.0.5) contains a stored cross-site scripting (XSS) vulnerability due to improper neutralization of user-supplied input during web page generation [1]. This flaw falls under CWE-79 and allows an attacker with sufficient privileges to inject arbitrary HTML and JavaScript code that will be stored and later executed in the context of other users' browsers.

Exploitation

Details

Exploitation requires a privileged user (e.g., an administrator or editor) to perform an action such as clicking a malicious link, visiting a crafted page, or submitting a specially crafted form [1]. Once the malicious script is stored, it will be executed when any visitor (including other administrators or regular users) accesses the affected page. The vulnerability is classified as Stored XSS, meaning the injected payload persists and can affect multiple users over time.

Impact

A successful attack can lead to a range of malicious outcomes, including redirecting visitors to attacker-controlled sites, displaying unauthorized advertisements, stealing session cookies, or defacing the website [1]. Because the injected script runs in the security context of the victim's browser, it can also be used to perform actions on behalf of the victim, such as creating new admin accounts or modifying site content.

Mitigation

The vendor has not released a patched version at the time of this writing; users are strongly advised to update the plugin as soon as a fix becomes available [1]. As an immediate workaround, site administrators should review and restrict plugin permissions, and consider using a web application firewall (WAF) to block malicious payloads. This vulnerability is known to be used in mass-exploit campaigns, so immediate action is recommended [1].