Stored Cross-Site Scripting Vulnerability in Ocean Extra Plugin by OceanWP
CVE-2025-3457

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Ocean Extra
Vendor: CVE Published:; 22 April 2025

What is CVE-2025-3457?

The Ocean Extra plugin for WordPress suffers from a Stored Cross-Site Scripting vulnerability via the 'oceanwp_icon' shortcode. This flaw is present in all versions up to and including 2.4.6 due to insufficient input sanitization and output escaping of user-supplied attributes. Authenticated attackers with contributor-level access or higher can exploit this flaw to inject malicious web scripts into pages, leading to potential execution whenever a user accesses the compromised page.

Affected Version(s)

Ocean Extra * <= 2.4.6

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ocean-extra/ta...

https://themes.trac.wordpress.org/browser/oceanwp/4.0.6/i...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 22, 2025
Vulnerability Reserved
Apr 8, 2025

Credit

muhammad yudha