Description
The Osom Blocks – Custom Post Type listing block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-06-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross-site scripting leading to arbitrary JavaScript execution by authenticated contributors
Action: Update Plugin
AI Analysis

Impact

The Osom Blocks – Custom Post Type listing block plugin for WordPress contains a Stored Cross-site Scripting vulnerability that originates from insufficient input sanitization and output escaping of the class_name field. As a result, an authenticated user with Contributor privileges or higher can inject arbitrary JavaScript into block listings, with the payload persisting in the database and executing whenever a victim visits a page that renders the injected block. These client‑side scripts can be used to steal session cookies, deface content, or otherwise perform malicious actions on behalf of the victim user.

Affected Systems

All publicly released versions of the Osom Blocks plugin for WordPress from the vendor osompress, including version 1.2.1 and earlier, are affected. Any WordPress site that installs the plugin and has contributors or higher roles is potentially vulnerable, regardless of which theme or other plugins are in use. No information is available indicating that later releases contain a fix, so site owners should check the plugin’s update channel or vendor announcements for an approved patch.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, placing it in the moderate severity range, and an EPSS score of less than 1%, suggesting a relatively low likelihood of exploitation in the wild at the time of analysis. It is not listed in the CISA KEV catalog. Exploitation requires an authenticated session with Contributor or higher privilege; the attacker must create or edit a block with a crafted class_name value that is rendered without proper escaping. Successful exploitation would lead to arbitrary script execution in the victim’s browser, enabling theft of credentials, defacement, or further compromise of the site.

Generated by OpenCVE AI on April 22, 2026 at 01:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Osom Blocks plugin to the latest release that includes a patch for the class_name XSS issue. If no public fix is announced, contact the vendor for a release note or temporary advisory.
  • Remove or disable the use of blocks that accept a class_name parameter on pages until a patched version is available, replacing them with safe, static content.
  • Audit all existing posts and pages that include Osom Blocks to identify and delete any malicious script payloads that may have been injected previously, ensuring the database does not persist harmful code.
  • Enforce least‑privilege on WordPress contributors to limit the risk of unauthorized script injections.

Generated by OpenCVE AI on April 22, 2026 at 01:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19355 The Osom Blocks – Custom Post Type listing block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Mon, 07 Jul 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Osompress
Osompress osom Blocks
CPEs cpe:2.3:a:osompress:osom_blocks:*:*:*:*:*:wordpress:*:*
Vendors & Products Osompress
Osompress osom Blocks

Fri, 27 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 27 Jun 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Osom Blocks – Custom Post Type listing block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘class_name’ parameter in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Osom Blocks <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via class_name Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Osompress Osom Blocks
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:53:24.707Z

Reserved: 2025-06-09T16:00:30.622Z

Link: CVE-2025-5940

cve-icon Vulnrichment

Updated: 2025-06-27T13:50:07.281Z

cve-icon NVD

Status : Modified

Published: 2025-06-27T08:15:22.857

Modified: 2026-04-08T18:24:58.863

Link: CVE-2025-5940

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:15:07Z

Weaknesses