Platform
wordpress
Component
oopspam-anti-spam
Fixed in
1.2.63
CVE-2026-32544 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in OOPSpam Anti-Spam. This flaw allows attackers to inject malicious scripts into web pages viewed by other users, potentially leading to account compromise and data theft. The vulnerability impacts versions of OOPSpam Anti-Spam prior to 1.2.63, and a patch has been released to address the issue.
The primary impact of this XSS vulnerability is the ability for an attacker to execute arbitrary JavaScript code within the context of a victim's browser. This can be leveraged to steal session cookies, redirect users to malicious websites, or deface the website. Successful exploitation could lead to unauthorized access to user accounts and sensitive data stored within the WordPress environment. The stored nature of the XSS means the malicious script persists until removed, potentially affecting multiple users over time. While no specific real-world exploitation has been publicly reported for this specific CVE, XSS vulnerabilities are consistently among the most exploited web application flaws.
CVE-2026-32544 was publicly disclosed on 2026-03-25. The vulnerability is not currently listed on the CISA KEV catalog. No public proof-of-concept exploits have been released at the time of this writing, but the ease of exploitation inherent in XSS vulnerabilities suggests a potential for rapid exploitation if the vulnerability becomes widely known.
Exploit Status
EPSS
0.04% (11% percentile)
CVSS Vector
The recommended mitigation is to immediately upgrade OOPSpam Anti-Spam to version 1.2.63 or later. If upgrading is not immediately feasible, consider implementing input validation and output encoding on user-supplied data within the OOPSpam Anti-Spam plugin. Web Application Firewalls (WAFs) configured with rules to detect and block XSS payloads can provide an additional layer of defense. Regularly scan your WordPress installation for vulnerabilities using security plugins and tools. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple XSS payload through the plugin’s input fields and verifying that the script is not executed.
Update to version 1.2.63, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32544 is a Stored Cross-Site Scripting (XSS) vulnerability affecting OOPSpam Anti-Spam versions up to 1.2.62, allowing attackers to inject malicious scripts.
You are affected if you are using OOPSpam Anti-Spam versions prior to 1.2.63. Check your plugin version and upgrade immediately if necessary.
Upgrade OOPSpam Anti-Spam to version 1.2.63 or later. Consider implementing input validation and output encoding as an additional precaution.
No active exploitation has been publicly reported, but the vulnerability's nature suggests a potential for rapid exploitation.
Refer to the OOPSpam Anti-Spam website or WordPress plugin repository for the official advisory and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.