{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3457", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-08T22:21:52.250Z", "datePublished": "2025-04-22T11:12:20.601Z", "dateUpdated": "2026-04-08T16:46:07.043Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:07.043Z"}, "affected": [{"vendor": "oceanwp", "product": "Ocean Extra", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'oceanwp_icon' shortcode in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "Ocean Extra <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/362a01c0-8b97-40dc-8af5-0d904da96576?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ocean-extra/tags/2.4.5/includes/shortcodes/shortcodes.php#L838"}, {"url": "https://themes.trac.wordpress.org/browser/oceanwp/4.0.6/inc/oceanwp-theme-icons.php#L866"}, {"url": "https://themes.trac.wordpress.org/browser/oceanwp/4.0.6/inc/oceanwp-theme-icons.php#L819"}, {"url": "https://plugins.trac.wordpress.org/changeset/3277977/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-04-21T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-22T13:23:38.196719Z", "id": "CVE-2025-3457", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T13:24:03.581Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3457", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-22T13:23:38.196719Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T13:23:45.382Z"}}], "cna": {"title": "Ocean Extra <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "muhammad yudha"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "oceanwp", "product": "Ocean Extra", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.4.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-21T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/362a01c0-8b97-40dc-8af5-0d904da96576?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ocean-extra/tags/2.4.5/includes/shortcodes/shortcodes.php#L838"}, {"url": "https://themes.trac.wordpress.org/browser/oceanwp/4.0.6/inc/oceanwp-theme-icons.php#L866"}, {"url": "https://themes.trac.wordpress.org/browser/oceanwp/4.0.6/inc/oceanwp-theme-icons.php#L819"}, {"url": "https://plugins.trac.wordpress.org/changeset/3277977/"}], "descriptions": [{"lang": "en", "value": "The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'oceanwp_icon' shortcode in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-04-22T11:12:20.601Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3457", "state": "PUBLISHED", "dateUpdated": "2025-04-22T13:24:03.581Z", "dateReserved": "2025-04-08T22:21:52.250Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-22T11:12:20.601Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oceanwp:ocean_extra:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "BC6D521C-0C9D-49F8-AB62-6FCD28233625", "versionEndExcluding": "2.4.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'oceanwp_icon' shortcode in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El complemento Ocean Extra para WordPress es vulnerable a cross-site scripting almacenado, a trav\u00e9s del shortcode 'oceanwp_icon' en todas las versiones hasta la 2.4.6 incluida, debido a una depuraci\u00f3n de entrada insuficiente y al escape de salida en los atributos proporcionados por el usuario. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-3457", "lastModified": "2025-04-30T14:07:52.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-22T12:15:16.350", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/ocean-extra/tags/2.4.5/includes/shortcodes/shortcodes.php#L838"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3277977/"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://themes.trac.wordpress.org/browser/oceanwp/4.0.6/inc/oceanwp-theme-icons.php#L819"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://themes.trac.wordpress.org/browser/oceanwp/4.0.6/inc/oceanwp-theme-icons.php#L866"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/362a01c0-8b97-40dc-8af5-0d904da96576?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:13:35.098130+00:00", "value": {"mitigation_remediation": ["Upgrade Ocean Extra to the latest version that removes the stored XSS vulnerability in the oceanwp_icon shortcode.", "If an upgrade is not immediately possible, remove or disable the oceanwp_icon shortcode so it cannot be used to embed malicious content.", "Limit contributor\u2011level access to trusted users and regularly audit user roles to reduce the likelihood that an authenticated attacker can inject payloads."], "summary": {"action": "Patch Upgrade", "impact": "Stored Cross\u2011Site Scripting via Shortcode"}, "threat_synthesis": {"affected_systems": "All installations of the Ocean Extra WordPress plugin version 2.4.6 or earlier are affected. The plugin is distributed under the Ocean Extra product from OceanWP. The vulnerability can be present in any WordPress site that has the plugin installed and the oceanwp_icon shortcode enabled.", "description_and_impact": "The Ocean Extra plugin contains a Stored XSS flaw in its oceanwp_icon shortcode. The flaw arises because attributes supplied to the shortcode are not properly sanitized or escaped, enabling an authenticated user with contributor\u2011level access or higher to inject JavaScript that is stored in the post content. When a victim views the page containing the injected content, the malicious script runs in that visitor\u2019s browser, potentially stealing credentials, hijacking sessions, or defacing the site.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS value is reported at less than 1%, suggesting a low probability of exploitation. The plugin is not listed in the CISA KEV catalog. Because the flaw requires authenticated contributor\u2011level access, an attacker must first obtain or abuse such credentials, which is a prerequisite before the stored XSS payload can be injected. Once the malicious script is stored, it executes in the browsers of all visitors who view the modified page, granting the attacker client\u2011side control and potential credential theft."}}}}, "created": "2026-04-21T21:15:45.451623+00:00", "updated": "2026-04-21T21:15:45.451633+00:00", "vendors": []}