Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proof Factor LLC Proof Factor – Social Proof Notifications proof-factor-social-proof-notifications allows Stored XSS.This issue affects Proof Factor – Social Proof Notifications: from n/a through <= 1.0.5.
Published: 2025-09-22
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw that allows an attacker to inject malicious scripts into the WordPress site. The vulnerability is identified as CWE‑79. The stored XSS occurs when input is not neutralized during rendering in the plugin, enabling potentially arbitrary JavaScript execution in the context of the affected site's visitors. Attackers could use the injected scripts to steal user data, hijack sessions, or deface the website, compromising confidentiality, integrity, and availability of the affected WordPress instance.

Affected Systems

The affected product is the Proof Factor – Social Proof Notifications plugin from Proof Factor LLC. Versions n/a through 1.0.5 are vulnerable. Any WordPress site that has installed this plugin, regardless of WordPress core version, is at risk until a later version or removal is applied.

Risk and Exploitability

The CVSS score is 5.9, indicating moderate severity. The EPSS score of less than 1% suggests a very low probability of exploitation in the wild. It is not listed in the CISA KEV catalog, indicating no known exploitation so far. The likely attack vector is that a user with the authority to create or edit notifications can supply malicious content that is stored and later rendered to site visitors, enabling XSS. If an attacker can use a publicly accessible form, the risk could broaden. Overall, the risk is moderate but exploitable without a critical patch.

Generated by OpenCVE AI on April 30, 2026 at 01:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Proof Factor – Social Proof Notifications plugin to a version higher than 1.0.5, if an update is released.
  • If an update is not available, remove or disable the plugin to stop storing unfiltered notification content.
  • As a compensating measure, enforce a content‑security‑policy that blocks inline scripts or use a plugin that sanitizes notification content before rendering.

Generated by OpenCVE AI on April 30, 2026 at 01:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30548 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proof Factor LLC Proof Factor &#8211; Social Proof Notifications allows Stored XSS. This issue affects Proof Factor &#8211; Social Proof Notifications: from n/a through 1.0.5.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proof Factor LLC Proof Factor &#8211; Social Proof Notifications proof-factor-social-proof-notifications allows Stored XSS.This issue affects Proof Factor &#8211; Social Proof Notifications: from n/a through <= 1.0.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proof Factor LLC Proof Factor – Social Proof Notifications proof-factor-social-proof-notifications allows Stored XSS.This issue affects Proof Factor – Social Proof Notifications: from n/a through <= 1.0.5.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proof Factor LLC Proof Factor &#8211; Social Proof Notifications allows Stored XSS. This issue affects Proof Factor &#8211; Social Proof Notifications: from n/a through 1.0.5. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proof Factor LLC Proof Factor &#8211; Social Proof Notifications proof-factor-social-proof-notifications allows Stored XSS.This issue affects Proof Factor &#8211; Social Proof Notifications: from n/a through <= 1.0.5.
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Proof Factor LLC Proof Factor &#8211; Social Proof Notifications allows Stored XSS. This issue affects Proof Factor &#8211; Social Proof Notifications: from n/a through 1.0.5.
Title WordPress Proof Factor – Social Proof Notifications Plugin <= 1.0.5 - Cross Site Scripting (XSS) Vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-12T00:55:38.670Z

Reserved: 2025-09-03T09:03:29.730Z

Link: CVE-2025-58658

cve-icon Vulnrichment

Updated: 2025-09-23T16:01:39.137Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:16.207

Modified: 2026-04-28T19:34:12.520

Link: CVE-2025-58658

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:45:06Z

Weaknesses