Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in omnipressteam Omnipress omnipress allows Stored XSS.This issue affects Omnipress: from n/a through <= 1.6.7.
Published: 2026-02-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross Site Scripting
Action: Patch Upgrade
AI Analysis

Impact

Improper neutralization of input during web page generation (CWE‑79) creates a stored cross‑site scripting (XSS) flaw in the Omnipress WordPress plugin. Content added via the plugin’s interface is rendered without proper sanitization, allowing an attacker to embed malicious scripts that will run in the browsers of any user who views the affected content. This can enable client‑side code execution but does not expose server‑side resources directly.

Affected Systems

Omnipress, a WordPress Gutenberg block editor developed by omnipressteam, is vulnerable in every release up through version 1.6.7. Site administrators using any of these releases are at risk if the plugin is active.

Risk and Exploitability

With a CVSS score of 6.5, the flaw is rated medium. The EPSS score is below 1%, indicating a historically low probability of exploitation, and it is not listed in CISA’s KEV catalog. Based on the description, it is inferred that the vulnerability can be triggered via the plugin’s web interface and that an attacker would need the ability to add or modify content through the plugin’s authoring interface. The likely attack vector is web‑based. Successful exploitation would result in arbitrary client‑side script execution rather than direct server compromise.

Generated by OpenCVE AI on April 16, 2026 at 06:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Omnipress plugin to the latest version that removes the XSS flaw; if a recent release is unavailable, install a later patch from the project's official repository.
  • If an immediate update is not feasible, disable the Omnipress plugin until a fixed version is released to prevent malicious payloads from being stored and reflected.
  • As a temporary measure, sanitize or restrict any user input fields associated with the plugin by applying output escaping functions or configuring the hosting environment to filter executed scripts; consider using a web application firewall to block suspicious payloads.

Generated by OpenCVE AI on April 16, 2026 at 06:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Omnipressteam
Omnipressteam omnipress
Wordpress
Wordpress wordpress
Vendors & Products Omnipressteam
Omnipressteam omnipress
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in omnipressteam Omnipress omnipress allows Stored XSS.This issue affects Omnipress: from n/a through <= 1.6.7.
Title WordPress Omnipress plugin <= 1.6.7 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Omnipressteam Omnipress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-01T14:14:58.214Z

Reserved: 2026-02-02T12:53:34.262Z

Link: CVE-2026-25432

cve-icon Vulnrichment

Updated: 2026-02-19T18:25:47.072Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T09:16:24.297

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T06:30:06Z

Weaknesses