VYPR
← All advisories
Medium severity6.4NVD Advisory· Published Aug 30, 2025· Updated Apr 15, 2026

CVE-2025-9499

CVE-2025-9499

Description

The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's oceanwp_library shortcode in all versions up to, and including, 2.4.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Ocean Extra plugin's oceanwp_library shortcode allows authenticated contributors to inject arbitrary scripts, affecting all versions up to 2.4.9.

Vulnerability

Overview

The Ocean Extra plugin for WordPress (versions up to 2.4.9) contains a Stored Cross-Site Scripting (XSS) vulnerability in its oceanwp_library shortcode [1]. The flaw arises from insufficient input sanitization and output escaping on user-supplied attributes, allowing malicious script injection.

Exploitation

An authenticated attacker with contributor-level access or higher can inject arbitrary JavaScript code via the shortcode attributes. When a page containing the malicious shortcode is viewed by any user, the injected script executes in the browser, leading to Stored XSS.

Impact

Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's session. This can result in session cookie theft, page defacement, redirection to malicious sites, or other actions that compromise the integrity and confidentiality of the WordPress site.

Mitigation

Users should update the Ocean Extra plugin to the latest available version, which contains a fix for this vulnerability. As the vulnerability requires contributor-level access, site administrators should also review user roles and permissions to limit exposure.

References
  1. Ocean Extra

AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.