{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32544", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:34.193Z", "datePublished": "2026-03-25T16:15:11.772Z", "dateUpdated": "2026-03-25T20:00:53.018Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "oopspam-anti-spam", "product": "OOPSpam Anti-Spam", "vendor": "OOPSpam Team", "versions": [{"changes": [{"at": "1.2.63", "status": "unaffected"}], "lessThanOrEqual": "<= 1.2.62", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:43.478Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OOPSpam Team OOPSpam Anti-Spam oopspam-anti-spam allows Stored XSS.<p>This issue affects OOPSpam Anti-Spam: from n/a through <= 1.2.62.</p>"}], "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OOPSpam Team OOPSpam Anti-Spam oopspam-anti-spam allows Stored XSS.This issue affects OOPSpam Anti-Spam: from n/a through <= 1.2.62."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:11.772Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/oopspam-anti-spam/vulnerability/wordpress-oopspam-anti-spam-plugin-1-2-62-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "title": "WordPress OOPSpam Anti-Spam plugin <= 1.2.62 - Cross Site Scripting (XSS) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T20:00:34.707724Z", "id": "CVE-2026-32544", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:00:53.018Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32544", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T20:00:34.707724Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T20:00:48.656Z"}}], "cna": {"title": "WordPress OOPSpam Anti-Spam plugin <= 1.2.62 - Cross Site Scripting (XSS) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "Stored XSS"}]}], "affected": [{"vendor": "OOPSpam Team", "product": "OOPSpam Anti-Spam", "versions": [{"status": "affected", "changes": [{"at": "1.2.63", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 1.2.62"}], "packageName": "oopspam-anti-spam", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:43.478Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/oopspam-anti-spam/vulnerability/wordpress-oopspam-anti-spam-plugin-1-2-62-cross-site-scripting-xss-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OOPSpam Team OOPSpam Anti-Spam oopspam-anti-spam allows Stored XSS.This issue affects OOPSpam Anti-Spam: from n/a through <= 1.2.62.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OOPSpam Team OOPSpam Anti-Spam oopspam-anti-spam allows Stored XSS.<p>This issue affects OOPSpam Anti-Spam: from n/a through <= 1.2.62.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:11.772Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32544", "state": "PUBLISHED", "dateUpdated": "2026-03-25T20:00:53.018Z", "dateReserved": "2026-03-12T11:12:34.193Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:11.772Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OOPSpam Team OOPSpam Anti-Spam oopspam-anti-spam allows Stored XSS.This issue affects OOPSpam Anti-Spam: from n/a through <= 1.2.62."}], "id": "CVE-2026-32544", "lastModified": "2026-03-25T20:16:31.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:08.253", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/oopspam-anti-spam/vulnerability/wordpress-oopspam-anti-spam-plugin-1-2-62-cross-site-scripting-xss-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.2.62]"}}], "enrichment": {"confidence": 91.0, "confidence_source": "matching", "scores": [{"score": 91.0, "source": "matching"}]}, "original": {"product": "OOPSpam Anti-Spam", "source": "cna", "vendor": "OOPSpam Team"}, "product": "oopspam_anti-spam", "vendor": "oopspam"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T22:39:33.470964+00:00", "value": {"mitigation_remediation": ["Upgrade the OOPSpam Anti\u2011Spam plugin to a version newer than 1.2.62.", "If an upgrade is not immediately possible, remove or disable the plugin to eliminate the stored XSS surface.", "After updating or removing, search the site\u2019s database for any remaining malicious scripts that may have been injected.", "Implement a content security policy to mitigate the impact of any residual XSS payloads.", "Keep the WordPress core and other plugins updated to limit related attack surfaces."], "summary": {"action": "Apply Patch", "impact": "Stored cross-site scripting that allows attacker to run scripts in visitors' browsers"}, "threat_synthesis": {"affected_systems": "Any WordPress installation that has the OOPSpam Anti-Spam plugin version that is not newer than 1.2.62 is impacted. The affected range is from the earliest released version (n/a) up to and including 1.2.62. The problem exists in every release of the plugin up to that point, regardless of WordPress core version.", "description_and_impact": "The vulnerability is a stored cross-site scripting flaw in the OOPSpam Anti-Spam WordPress plugin. Improper neutralization of user input allows malicious scripts to be stored in the database and then injected into pages when visitors load them. This flaw gives an attacker the ability to run arbitrary client-side code in the browsers of site visitors, potentially leading to session hijacking, cookie theft, or defacement. The CVE record does not detail the exact input vectors; it is inferred that entries through the plugin\u2019s interfaces could be used to store the payload.", "risk_and_exploitability": "With a CVSS score of 7.1, this vulnerability is considered high severity. EPSS data is not available, and the flaw is not listed in the CISA KEV catalog, indicating no publicly known exploits at this time. Because the attack does not require elevated privileges on the host and the malicious payload executes in the victim\u2019s browser, an attacker can target any visitor to the site. A stored XSS of this nature could be abused by embedding payloads in the plugin\u2019s input fields, which the records do not explicitly detail but are inferred."}}}}, "created": "2026-03-26T11:34:47.112110+00:00", "updated": "2026-03-26T12:12:11.528843+00:00", "vendors": ["oopspam", "oopspam$PRODUCT$oopspam_anti-spam", "wordpress", "wordpress$PRODUCT$wordpress"]}