Remote Code Execution in Ocean Modal Window WordPress Plugin
CVE-2025-13307

7.2HIGH

Key Information:

Vendor: WordPress
Status: Ocean Modal Window
Vendor: CVE Published:; 19 December 2025

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2025-13307?

The Ocean Modal Window plugin for WordPress prior to version 2.3.3 is susceptible to a critical vulnerability that allows remote code execution. This exploit arises from the modal display logic, which can be manipulated under conditions defined by users with editing capabilities, such as Editors and Administrators. The flawed execution of these conditions, wrapping them in an eval statement that runs on every page, potentially enables attackers to execute arbitrary code from their command, jeopardizing the security of the entire site.

Affected Version(s)

Ocean Modal Window 0 < 2.3.3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-13307 - Proof of Concept

References

https://wpscan.com/vulnerability/710de342-6fb9-47bd-a40b-...

exploitvdb-entrytechnical-description

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Dec 19, 2025
👾
Exploit known to exist
Dec 19, 2025
Vulnerability published
Dec 19, 2025
Vulnerability Reserved
Nov 17, 2025

Credit

Alex Tselevich (nos3curity)

WPScan

JSON