# CVE-2025-12163: Stored Cross-Site Scripting in Omnipress WordPress Plugin

[![CVE](https://img.shields.io/badge/CVE-2025--XXXXX-red)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-XXXXX)
[![CVSS Score](https://img.shields.io/badge/CVSS-6.4%20Medium-orange)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator)
[![WordPress Plugin](https://img.shields.io/badge/WordPress-Plugin-blue)](https://wordpress.org/plugins/omnipress/)
[![CWE-79](https://img.shields.io/badge/CWE--79-XSS-critical)](https://cwe.mitre.org/data/definitions/79.html)
[![Wordfence](https://img.shields.io/badge/Disclosed-Wordfence-success)](https://www.wordfence.com/)

> **Keywords:** CVE-2025-XXXXX, Omnipress WordPress vulnerability, stored XSS, WordPress security, authenticated XSS exploit, WordPress plugin vulnerability, CWE-79, WordPress Gutenberg blocks security, cross-site scripting, WordPress CVE 2025

## Table of Contents

- [Overview](#overview)
- [Vulnerability Details](#vulnerability-details)
- [Technical Analysis](#technical-details)
- [Attack Vector](#attack-vector)
- [Remediation Guide](#remediation)
- [CVSS Metrics](#cvss-v31-metrics)
- [References](#references)
- [Security Contact](#contact)

## Overview

**Omnipress WordPress Plugin Stored XSS Vulnerability (CVE-2025-XXXXX)** - A stored cross-site scripting vulnerability in the Omnipress Gutenberg blocks plugin allowing authenticated attackers with Author-level privileges to inject malicious scripts.

A stored cross-site scripting (XSS) vulnerability was discovered in the Omnipress WordPress plugin that allows authenticated attackers with Author-level access and above to inject arbitrary web scripts in pages that execute whenever a user accesses an injected page.

**Discovered by:** Kai Aizen 
**Published:** December 2025  
**CVSS Score:** 6.4 (Medium)  
**CWE:** CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')  
**Plugin:** Omnipress – WordPress Gutenberg Blocks Plugin  
**Attack Type:** Authenticated (Author+) Stored Cross-Site Scripting  
**Required Privileges:** Author-level access or higher

## Vulnerability Details

### Description

The Omnipress plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 1.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

### Impact

This vulnerability allows authenticated attackers to:

- Inject malicious JavaScript code that persists in the database
- Execute arbitrary scripts in the context of other users' browsers
- Potentially hijack admin sessions through XSS payloads
- Perform actions on behalf of administrators
- Steal sensitive information including cookies and session tokens

### Affected Versions

- **Vulnerable:** All versions ≤ 1.6.3
- **Patched:** Version 1.6.4 and above (check for updates)

### CVSS v3.1 Metrics

```
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
```

| Metric | Value |
| --- | --- |
| Attack Vector | Network (AV:N) |
| Attack Complexity | Low (AC:L) |
| Privileges Required | Low (PR:L) |
| User Interaction | None (UI:N) |
| Scope | Changed (S:C) |
| Confidentiality | Low (C:L) |
| Integrity | Low (I:L) |
| Availability | None (A:N) |

## Technical Details

The vulnerability exists due to improper handling of user input in the Omnipress block editor components:

1. The plugin fails to properly sanitize user-supplied input in certain block attributes
2. Output escaping is insufficient when rendering block content
3. Authors can craft malicious payloads that are stored in the database
4. The XSS payload executes in the browsers of users viewing the affected page
5. Due to the "Changed" scope, the vulnerability can affect resources beyond the vulnerable component

### Attack Vector

The vulnerability can be exploited by:

1. Authenticating with Author-level (or higher) credentials
2. Creating or editing a post/page using the Gutenberg editor
3. Adding an Omnipress block with a malicious payload in vulnerable attributes
4. Publishing or saving the content
5. When other users (including administrators) view the page, the malicious script executes

### Proof of Concept

A Proof of Concept demonstrating this vulnerability exists but is withheld to allow time for patching and user updates.

## Remediation

### For Site Administrators

**Immediate Action Required:**

1. Update to Omnipress version **1.6.4** or later immediately (when available)
2. Review user accounts with Author-level access or higher for suspicious activity
3. Audit existing content created with Omnipress blocks for potentially malicious payloads
4. If you cannot update immediately, consider temporarily restricting Author-level access

### Update Instructions

1. Navigate to **Plugins > Installed Plugins** in WordPress admin
2. Locate "Omnipress"
3. Click **Update Now** to upgrade to the latest version
4. Verify the update was successful
5. Clear any caching plugins/CDN to ensure changes take effect

### For Developers

Ensure all user inputs in Gutenberg blocks implement proper security controls:

```php
// Example of proper output escaping in block render
function render_block_content( $attributes ) {
    // Escape all user-supplied attributes
    $safe_content = esc_html( $attributes['content'] );
    $safe_url = esc_url( $attributes['url'] );
    $safe_attr = esc_attr( $attributes['customAttr'] );
    
    // Use wp_kses for HTML content with allowed tags
    $allowed_html = array(
        'a' => array( 'href' => array(), 'title' => array() ),
        'strong' => array(),
        'em' => array(),
    );
    $safe_html = wp_kses( $attributes['htmlContent'], $allowed_html );
    
    return sprintf(
        '<div class="%s"><a href="%s">%s</a></div>',
        $safe_attr,
        $safe_url,
        $safe_content
    );
}
```

## Timeline

- **December 2025** - Vulnerability discovered and reported
- **December 2025** - Vulnerability publicly disclosed via Wordfence
- **TBD** - Patch released by plugin vendor

## References

- [Wordfence Intelligence Database Entry](https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/omnipress/omnipress-163-authenticated-author-stored-cross-site-scripting)
- [WordPress Plugin Directory - Omnipress](https://wordpress.org/plugins/omnipress/)
- [MITRE CVE Entry](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-XXXXX)
- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)

## Credits

**Researchers:**

- **Kai Aizen** - SnailSploit


**Disclosure Process:** Coordinated through Wordfence Bug Bounty Program

## Disclaimer

This information is provided for security research and defensive purposes only. Any exploitation of this vulnerability for malicious purposes is illegal and unethical. Always obtain proper authorization before testing systems you do not own.

## Contact

For questions or additional information about this vulnerability:

- **Email:** [kai@owasp.com](mailto:kai@owasp.com)
- **Website:** [snailsploit.com](https://snailsploit.com)
- **Organization:** SnailSploit Security Research

---

*Last updated: December 2025*