14 matches found
CVE-2019-16250
CVE-2019-16250 affects the WordPress plugin Ocean Extra (
CVE-2021-25104
The CVE-2021-25104 issue affects the WordPress Ocean Extra plugin (versions before 1.9.5). The root cause is that generated links are not escaped when the OceanWP theme is active, leading to a Reflected Cross-Site Scripting vulnerability. The vulnerability is addressed in version 1.9.5 (remediati...
CVE-2022-3374
CVE-2022-3374 affects the WordPress Ocean Extra plugin prior to version 2.0.5. The issue is insecure deserialization: when importing a malicious Customizer Styling file, the plugin may unserialize the import content, potentially enabling PHP object injections if a high-privilege user imports such...
CVE-2025-3472
The CVE-2025-3472 entry concerns the Ocean Extra WordPress plugin (versions up to and including 2.4.6). The vulnerability arises from inadequate validation in handling shortcodes via do_shortcode, allowing unauthenticated attackers to execute arbitrary shortcodes when WooCommerce is installed and...
CVE-2024-1277
CVE-2024-1277 affects Ocean Extra for WordPress up to version 2.2.4, enabling Stored XSS via custom fields due to insufficient input sanitization and output escaping. Exploitation requires authentication (contributor+). A fix is available in version 2.2.5; upgrade Ocean Extra to 2.2.5 or later to...
CVE-2023-0749
The CVE-2023-0749 entry concerns the Ocean Extra WordPress plugin before version 2.1.3. The vulnerability arises because the plugin does not verify that a template loaded via a shortcode is actually a template, allowing any authenticated user (e.g., a subscriber) to retrieve content from arbitrar...
CVE-2024-3167
CVE-2024-3167 is an Ocean Extra for WordPress Stored Cross-Site Scripting via the twitter_username parameter in versions up to 2.2.6 (patch released with 2.2.7). Exploitation requires authenticated access (Contributor+), allowing injection of scripts that execute when users visit affected pages. ...
CVE-2025-3458
CVE-2025-3458 (Ocean Extra, WordPress) : The Ocean Extra plugin (WordPress) up to version 2.4.6 is vulnerable to Stored Cross-Site Scripting via the ocean_gallery_id parameter. Exploitation requires authenticated access (Contributor level or higher) and the Classic Editor plugin. The vulnerabilit...
CVE-2025-3457
The CVE-2025-3457 entry describes a Stored Cross-Site Scripting (XSS) vulnerability in the WordPress Ocean Extra plugin (versions up to and including 2.4.6) that is exploitable by authenticated attackers with contributor-level access and above via the oceanwp_icon shortcode. The issue arises from...
CVE-2023-23891
The CVE-2023-23891 entry concerns the WordPress Ocean Extra plugin (OceanWP) with a Stored XSS vulnerability in versions ≤ 2.1.1 when the OceanWP theme is installed and activated. The root cause is an input handling/shortcode context that permits script injection by authenticated contributors. Af...
CVE-2023-24399
CVE-2023-24399 affects Ocean Extra (OceanWP) WordPress plugin, versions 2.1.2; Patchstack lists fixed in 2.1.3. Exploitation status not detailed in provided documents; no explicit in-the-wild exploitation information found in the connected sources. Monitor for updates and apply the patch if using...
CVE-2024-37489
CVE-2024-37489: Stored XSS in OceanWP Ocean Extra (WordPress plugin Ocean Extra) up to version 2.2.9. Requires authentication (Authenticated XSS). Root cause: improper input neutralization during web page generation. Affected: Ocean Extra
CVE-2023-49164
The CVE describes a Cross-Site Request Forgery (CSRF) in the WordPress OceanWP Ocean Extra plugin affecting versions through 2.2.2. The vulnerability enables an attacker to induce a user to trigger unintended actions on the web application, including potential arbitrary plugin activation. Impact ...
CVE-2020-36760
CVE-2020-36760 affects the Ocean Extra plugin for WordPress (versions up to 1.6.5). The root cause is missing or incorrect nonce validation in the add_core_extensions_bundle_validation() function, enabling Cross-Site Request Forgery. This allows unauthenticated attackers to validate extension bun...