CVE-2025-53276

Vulnerability

Overview A DOM-based Cross-Site Scripting (XSS) vulnerability has been discovered in the Omnipress WordPress plugin (versions up to and including 1.6.4). The root cause is improper neutralization of user-supplied input during web page generation, allowing an attacker to inject and execute arbitrary JavaScript in the context of a victim's browser session [1].

Exploitation

Prerequisites Exploitation requires a privileged user (e.g., administrator) to perform an action such as clicking a crafted link or submitting a malicious form. This user interaction is necessary for the DOM-based XSS to trigger, as the vulnerability is initiated by the attacker but executed only when the victim interacts with the injected payload [1].

Impact

Successful exploitation enables an attacker to inject malicious scripts, potentially leading to redirects, unauthorized advertisements, or other HTML payloads. These scripts execute when other visitors access the affected site, compromising user trust and site integrity [1].

Mitigation

The vulnerability is rated Medium (CVSS 6.5) and is considered low severity for WordPress environments. The Omnipress plugin has been patched in version 1.6.5. Users are strongly advised to update immediately or enable auto-updates for vulnerable plugins via Patchstack [1].