VYPR

Oceanwp

by WordPress

CVEs (5)

  • CVE-2023-23700HigMay 17, 2024
    risk 0.49cvss 7.6epss 0.01

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OceanWP allows PHP Local File Inclusion.This issue affects OceanWP: from n/a through 3.4.1.

  • CVE-2025-5524MedJun 19, 2025
    risk 0.32cvss 4.9epss 0.00

    The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level…

  • CVE-2025-8944MedSep 5, 2025
    risk 0.28cvss 4.3epss 0.00

    The OceanWP WordPress theme before 4.1.2 is vulnerable to an option update due to a missing capability check on one of its AJAX request handler, allowing any authenticated users, such as subscriber to update the darkMod` setting.

  • CVE-2025-8891MedAug 13, 2025
    risk 0.28cvss 4.3epss 0.00

    The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwp_notice_button_click() function. This makes it possible for unauthenticated attackers to install the Ocean…

  • CVE-2024-2476MedMar 29, 2024
    risk 0.28cvss 4.3epss 0.00

    The OceanWP theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_theme_panel_pane function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and…