Medium severity4.3NVD Advisory· Published Aug 13, 2025· Updated Jun 17, 2026
CVE-2025-8891
CVE-2025-8891
Description
The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwp_notice_button_click() function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- oceanwp/OceanWPv5Range: 4.0.9
Patches
Vulnerability mechanics
References
3- themes.trac.wordpress.org/changeset/283264/oceanwp/4.1.2/inc/activation-notice/api.phpnvdPatch
- research.cleantalk.org/cve-2025-8891/nvdExploitThird Party Advisory
- www.wordfence.com/threat-intel/vulnerabilities/id/9c6f9a3d-54a6-4405-b42b-37fc8342af96nvdThird Party Advisory
News mentions
0No linked articles in our index yet.