VYPR
Vendor

Oceanwp

Products
2
CVEs
12
Across products
12
Status
Private

Products

2

Recent CVEs

12
  • CVE-2025-13307HigDec 19, 2025
    risk 0.47cvss 7.2epss 0.00

    The Ocean Modal Window WordPress plugin before 2.3.3 is vulnerable to Remote Code Execution via the modal display logic. These modals can be displayed under user-controlled conditions that Editors and Administrators can set (edit_pages capability). The conditions are then…

  • CVE-2025-3472MedApr 22, 2025
    risk 0.42cvss 6.5epss 0.02

    The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it…

  • CVE-2025-3458MedApr 22, 2025
    risk 0.42cvss 6.4epss 0.00

    The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ocean_gallery_id’ parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,…

  • CVE-2024-37489MedJul 21, 2024
    risk 0.42cvss 6.5epss 0.00

    Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OceanWP Ocean Extra allows Stored XSS.This issue affects Ocean Extra: from n/a through 2.2.9.

  • CVE-2024-3167MedApr 9, 2024
    risk 0.42cvss 6.4epss 0.01

    The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘twitter_username’ parameter in versions up to, and including, 2.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…

  • CVE-2024-1277MedFeb 29, 2024
    risk 0.42cvss 6.4epss 0.00

    The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom fields in all versions up to, and including, 2.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access…

  • CVE-2023-23891MedApr 6, 2023
    risk 0.36cvss 5.5epss 0.00

    Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in OceanWP Ocean Extra plugin <= 2.1.1 versions. Needs the OceanWP theme installed and activated.

  • CVE-2023-24399MedMar 30, 2023
    risk 0.36cvss 5.5epss 0.00

    Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in OceanWP Ocean Extra plugin <= 2.1.2 versions.

  • CVE-2026-34903MedApr 7, 2026
    risk 0.35cvss 5.4epss 0.00

    Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ocean Extra: from n/a through 2.5.3.

  • CVE-2025-3457MedApr 22, 2025
    risk 0.35cvss 6.4epss 0.00

    The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'oceanwp_icon' shortcode in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible…

  • CVE-2023-49164MedDec 19, 2023
    risk 0.35cvss 5.4epss 0.00

    Cross-Site Request Forgery (CSRF) vulnerability in OceanWP Ocean Extra.This issue affects Ocean Extra: from n/a through 2.2.2.

  • CVE-2020-36760MedJul 12, 2023
    risk 0.28cvss 4.3epss 0.01

    The Ocean Extra plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.5]. This is due to missing or incorrect nonce validation on the add_core_extensions_bundle_validation() function. This makes it possible for unauthenticated…