Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpopal Opal Service opal-service allows Stored XSS.This issue affects Opal Service: from n/a through <= 1.9.1.
Published: 2025-10-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An incorrect filtering of user input during page generation allows an attacker to store malicious scripts within the Opal Service plugin. When these scripts are later rendered to visitors, they can execute arbitrary JavaScript in the context of the site, potentially exposing session data, hijacking user accounts, or defacing the website.

Affected Systems

WordPress installations that use the wpopal Opal Service plugin with a version equal to or older than 1.9.1 are affected by this vulnerability.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating a moderate to high impact if exploited. The EPSS score of less than 1% points to a low probability of exploitation as of the last assessment, and it is not listed in the CISA KEV catalog. The likely attack vector is user-supplied content that the plugin accepts and stores without proper sanitization; the attacker would need to supply such content, either via a public form or an authenticated user submission. Once stored, the malicious script executes automatically for all users who view the affected output.

Generated by OpenCVE AI on April 29, 2026 at 20:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Opal Service plugin to a version newer than 1.9.1 when it becomes available.
  • If an upgrade is delayed, disable any plugin features that accept user input or configure the plugin to enforce strict content sanitization.
  • Apply a Web Application Firewall or similar security layer that blocks or neutralizes cross‑site scripting payloads before they reach the browser.

Generated by OpenCVE AI on April 29, 2026 at 20:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpopal Opal Service opal-service allows Stored XSS.This issue affects Opal Service: from n/a through <= 1.9.1.
Title WordPress Opal Service plugin <= 1.9.1 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:05.634Z

Reserved: 2025-10-24T14:24:30.143Z

Link: CVE-2025-62913

cve-icon Vulnrichment

Updated: 2025-10-27T15:17:09.347Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:50.813

Modified: 2026-04-27T18:16:30.123

Link: CVE-2025-62913

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T20:45:19Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')