CVE-2025-13307

The Ocean Modal Window WordPress plugin (versions before 2.3.3) contains a critical remote code execution vulnerability in its modal display logic. The plugin uses PHP eval() to evaluate user-defined conditions that determine when a modal window should appear on a page. These conditions are stored as user-controlled input and executed on every site page, without sufficient sanitization or validation, allowing an attacker to inject arbitrary PHP code [1].

The vulnerability can be exploited by users with the edit_pages capability, typically Editors and Administrators. An attacker who can access the modal configuration interface can craft a malicious condition string that, when processed by the eval() statement, executes arbitrary PHP commands on the server. The attack requires no special network position beyond backend access to the WordPress admin panel, as the exploit payload is stored in the plugin's settings and triggered during normal page rendering [1].

Successful exploitation leads to full remote code execution on the underlying server. An attacker can then perform actions such as reading sensitive files, modifying database contents, creating or deleting files, installing backdoors, or pivoting to other systems. This vulnerability is particularly severe because it can be triggered without further authentication once stored — the malicious condition is evaluated on every site page load [1].

The vulnerability has been fixed in version 2.3.3 of the plugin. Users are strongly advised to update to this version or deactivate the plugin until an update is applied. No known workarounds or mitigations are provided beyond patching. The issue was reported by researcher Alex Tselevich (nos3curity) and publicly published on November 28, 2025 [1].