- Overview
- Vulnerability Details
- Technical Analysis
- Attack Vector
- Remediation Guide
- CVSS Metrics
- References
- Security Contact
Omnipress WordPress Plugin Stored XSS Vulnerability (CVE-2025-XXXXX) - A stored cross-site scripting vulnerability in the Omnipress Gutenberg blocks plugin allowing authenticated attackers with Author-level privileges to inject malicious scripts.
A stored cross-site scripting (XSS) vulnerability was discovered in the Omnipress WordPress plugin that allows authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages that execute whenever a user accesses an injected page.
Discovered by: Kai Aizen
Published: December 2025
CVSS Score: 6.4 (Medium)
CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Plugin: Omnipress – WordPress Gutenberg Blocks Plugin
Attack Type: Authenticated (Author+) Stored Cross-Site Scripting
Required Privileges: Author-level access or higher
The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
This vulnerability allows authenticated attackers to:
- Inject malicious JavaScript code that persists in the database
- Execute arbitrary scripts in the context of other users' browsers
- Potentially hijack admin sessions through XSS payloads
- Perform actions on behalf of administrators
- Steal sensitive information including cookies and session tokens
- Vulnerable: All versions ≤ 1.6.3
- Patched: Version 1.6.4 and above (check for updates)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
| Metric | Value |
|---|---|
| Attack Vector | Network (AV:N) |
| Attack Complexity | Low (AC:L) |
| Privileges Required | Low (PR:L) |
| User Interaction | None (UI:N) |
| Scope | Changed (S:C) |
| Confidentiality | Low (C:L) |
| Integrity | Low (I:L) |
| Availability | None (A:N) |
The vulnerability exists due to improper handling of user input in the Omnipress block editor components:
- The plugin fails to properly sanitize user-supplied input in certain block attributes
- Output escaping is insufficient when rendering block content
- Authors can craft malicious payloads that are stored in the database
- The XSS payload executes in the browsers of users viewing the affected page
- Due to the "Changed" scope, the vulnerability can affect resources beyond the vulnerable component
The vulnerability can be exploited by:
- Authenticating with Author-level (or higher) credentials
- Creating or editing a post/page using the Gutenberg editor
- Adding an Omnipress block with a malicious payload in vulnerable attributes
- Publishing or saving the content
- When other users (including administrators) view the page, the malicious script executes
A Proof of Concept demonstrating this vulnerability exists but is withheld to allow time for patching and user updates.
Immediate Action Required:
- Update to Omnipress version 1.6.4 or later immediately (when available)
- Review user accounts with Author-level access or higher for suspicious activity
- Audit existing content created with Omnipress blocks for potentially malicious payloads
- If you cannot update immediately, consider temporarily restricting Author-level access
- Navigate to Plugins > Installed Plugins in WordPress admin
- Locate "Omnipress"
- Click Update Now to upgrade to the latest version
- Verify the update was successful
- Clear any caching plugins/CDN to ensure changes take effect
Ensure all user inputs in Gutenberg blocks implement proper security controls:
// Example of proper output escaping in block render
function render_block_content( $attributes ) {
// Escape all user-supplied attributes
$safe_content = esc_html( $attributes['content'] );
$safe_url = esc_url( $attributes['url'] );
$safe_attr = esc_attr( $attributes['customAttr'] );
// Use wp_kses for HTML content with allowed tags
$allowed_html = array(
'a' => array( 'href' => array(), 'title' => array() ),
'strong' => array(),
'em' => array(),
);
$safe_html = wp_kses( $attributes['htmlContent'], $allowed_html );
return sprintf(
'<div class="%s"><a href="%s">%s</a></div>',
$safe_attr,
$safe_url,
$safe_content
);
}- December 2025 - Vulnerability discovered and reported
- December 2025 - Vulnerability publicly disclosed via Wordfence
- TBD - Patch released by plugin vendor
- Wordfence Intelligence Database Entry
- WordPress Plugin Directory - Omnipress
- MITRE CVE Entry
- CWE-79: Improper Neutralization of Input During Web Page Generation
Researchers:
- Kai Aizen - SnailSploit
Disclosure Process: Coordinated through Wordfence Bug Bounty Program
This information is provided for security research and defensive purposes only. Any exploitation of this vulnerability for malicious purposes is illegal and unethical. Always obtain proper authorization before testing systems you do not own.
For questions or additional information about this vulnerability:
- Email: kai@owasp.com
- Website: snailsploit.com
- Organization: SnailSploit Security Research
Last updated: December 2025
