The vulnerability is a stored cross-site scripting flaw in the OOPSpam Anti-Spam WordPress plugin. Improper neutralization of user input allows malicious scripts to be stored in the database and then injected into pages when visitors load them. This flaw gives an attacker the ability to run arbitrary client-side code in the browsers of site visitors, potentially leading to session hijacking, cookie theft, or defacement. The CVE record does not detail the exact input vectors; it is inferred that entries through the plugin’s interfaces could be used to store the payload.

Any WordPress installation that has the OOPSpam Anti-Spam plugin version that is not newer than 1.2.62 is impacted. The affected range is from the earliest released version (n/a) up to and including 1.2.62. The problem exists in every release of the plugin up to that point, regardless of WordPress core version.

With a CVSS score of 7.1, this vulnerability is considered high severity. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, indicating no publicly known exploits at this time. Because the attack does not require elevated privileges on the host and the malicious payload executes in the victim’s browser, an attacker can target any visitor to the site. A stored XSS of this nature could be abused by embedding payloads in the plugin’s input fields, which the records do not explicitly detail but are inferred.