Description
The Optio Dentistry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'optio-lightbox' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2025-09-06
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: CWE-79: Stored Cross‑Site Scripting
Action: Patch
AI Analysis

Impact

The Optio Dentistry plugin for WordPress is vulnerable to stored cross‑site scripting (CWE-79) due to insufficient sanitization and escaping of user‑supplied attributes in its ‘optio‑lightbox’ shortcode. An attacker exploiting this flaw can inject arbitrary JavaScript that executes in visitors’ browsers when they view pages containing the injected shortcode, compromising confidentiality, integrity and availability of site contents for all users.

Affected Systems

All WordPress sites running the Optio Dentistry plugin version 2.2 or earlier are impacted. The flaw is inherent in the plugin’s shortcode handling and is not tied to a specific WordPress core version. Administrators should verify the plugin version installed and audit sites that used the shortcode.

Risk and Exploitability

This vulnerability, classified as CWE-79, has a CVSS score of 6.4 indicating moderate‑high severity, while an EPSS score of less than 1% suggests a very low likelihood of real‑world exploitation at the time of analysis. The flaw is not recorded in CISA’s KEV catalog. Exploit requires authenticated contributor‑level or higher access, permitting injection of malicious scripts that persist across page reloads. Successful exploitation would allow attackers to hijack user sessions, steal credentials or inject further malicious payloads.

Generated by OpenCVE AI on April 20, 2026 at 21:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Optio Dentistry plugin to the latest available version, which includes proper input validation and output escaping for the shortcode.
  • If the plugin must remain installed, remove or comment out the vulnerable ‘optio‑lightbox’ shortcode from the codebase or disable it via a functions.php snippet to prevent future injection.
  • Re‑sanitize or delete any content that already contains injected scripts, especially posts or pages that used the shortcode, using a content filter or manual review.

Generated by OpenCVE AI on April 20, 2026 at 21:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Sep 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 07 Sep 2025 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 06 Sep 2025 02:30:00 +0000

Type Values Removed Values Added
Description The Optio Dentistry plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'optio-lightbox' shortcode in all versions up to, and including, 2.2 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Optio Dentistry <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:19:58.417Z

Reserved: 2025-09-02T15:18:03.400Z

Link: CVE-2025-9853

cve-icon Vulnrichment

Updated: 2025-09-08T20:15:16.715Z

cve-icon NVD

Status : Deferred

Published: 2025-09-06T03:15:41.993

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9853

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T22:00:11Z

Weaknesses