Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OOPSpam Team OOPSpam Anti-Spam oopspam-anti-spam allows Stored XSS.This issue affects OOPSpam Anti-Spam: from n/a through <= 1.2.62.
AnalysisAI
A Stored Cross-Site Scripting (XSS) vulnerability exists in the OOPSpam Anti-Spam WordPress plugin through version 1.2.62, allowing attackers to inject and persist malicious JavaScript code that executes in the browsers of authenticated users and administrators. The vulnerability stems from improper input neutralization during web page generation (CWE-79), enabling attackers to compromise user sessions, steal credentials, or perform actions on behalf of affected users. No CVSS score, EPSS probability, or active exploitation data (KEV status) are currently available, but the Stored XSS classification and WordPress plugin distribution indicate moderate to high real-world risk given the plugin's accessibility and widespread WordPress ecosystem deployment.
Technical ContextAI
The OOPSpam Anti-Spam plugin (identified via CPE cpe:2.3:a:oopspam_team:oopspam_anti-spam) is a WordPress plugin designed to filter spam content. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), which occurs when user-supplied input is not properly sanitized before being rendered in HTML contexts. In WordPress plugins, this typically manifests when form inputs, settings fields, or user-generated content are stored in the database and later output without adequate escaping or sanitization functions (such as wp_kses_post() or esc_html()). The Stored XSS variant is particularly dangerous because the malicious payload persists server-side, automatically executing whenever the compromised page is loaded by any user with access to that page.
RemediationAI
Immediately update the OOPSpam Anti-Spam plugin to a version newer than 1.2.62 (check the official WordPress plugin repository or vendor advisory for the patched version number). Users should navigate to their WordPress dashboard, go to Plugins, and update OOPSpam Anti-Spam to the latest available version. For organizations unable to patch immediately, implement WordPress security hardening: restrict plugin access to authenticated administrators only using security plugins or Web Application Firewalls (WAF) that filter malicious input patterns, enforce Content Security Policy (CSP) headers to mitigate XSS payload execution, and regularly audit stored plugin data for suspicious scripts. Additionally, monitor user activity and review administrator logs for unauthorized changes to plugin settings or content. See Patchstack's advisory at https://patchstack.com/database/Wordpress/Plugin/oopspam-anti-spam/vulnerability/ for vendor-specific patching details.
More in Oopspam Anti Spam
View allCross-Site Request Forgery (CSRF) vulnerability in OOPSpam OOPSpam Anti-Spam plugin <= 1.1.44 versions. Rated high sever
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15921
GHSA-5mhc-p3xj-879x