Skip to main content

Oopspam Anti Spam CVE-2026-32544

| EUVDEUVD-2026-15921 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-03-25 Patchstack GHSA-5mhc-p3xj-879x
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 24, 2026 - 16:37 vuln.today
cvss_changed
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15921
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OOPSpam Team OOPSpam Anti-Spam oopspam-anti-spam allows Stored XSS.This issue affects OOPSpam Anti-Spam: from n/a through <= 1.2.62.

AnalysisAI

A Stored Cross-Site Scripting (XSS) vulnerability exists in the OOPSpam Anti-Spam WordPress plugin through version 1.2.62, allowing attackers to inject and persist malicious JavaScript code that executes in the browsers of authenticated users and administrators. The vulnerability stems from improper input neutralization during web page generation (CWE-79), enabling attackers to compromise user sessions, steal credentials, or perform actions on behalf of affected users. No CVSS score, EPSS probability, or active exploitation data (KEV status) are currently available, but the Stored XSS classification and WordPress plugin distribution indicate moderate to high real-world risk given the plugin's accessibility and widespread WordPress ecosystem deployment.

Technical ContextAI

The OOPSpam Anti-Spam plugin (identified via CPE cpe:2.3:a:oopspam_team:oopspam_anti-spam) is a WordPress plugin designed to filter spam content. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-supplied input is not properly sanitized before being rendered in HTML contexts. In WordPress plugins, this typically manifests when form inputs, settings fields, or user-generated content are stored in the database and later output without adequate escaping or sanitization functions (such as wp_kses_post() or esc_html()). The Stored XSS variant is particularly dangerous because the malicious payload persists server-side, automatically executing whenever the compromised page is loaded by any user with access to that page.

RemediationAI

Immediately update the OOPSpam Anti-Spam plugin to a version newer than 1.2.62 (check the official WordPress plugin repository or vendor advisory for the patched version number). Users should navigate to their WordPress dashboard, go to Plugins, and update OOPSpam Anti-Spam to the latest available version. For organizations unable to patch immediately, implement WordPress security hardening: restrict plugin access to authenticated administrators only using security plugins or Web Application Firewalls (WAF) that filter malicious input patterns, enforce Content Security Policy (CSP) headers to mitigate XSS payload execution, and regularly audit stored plugin data for suspicious scripts. Additionally, monitor user activity and review administrator logs for unauthorized changes to plugin settings or content. See Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/oopspam-anti-spam/vulnerability/ for vendor-specific patching details.

Share

CVE-2026-32544 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy