{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-3458", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-04-08T22:36:29.084Z", "datePublished": "2025-04-22T11:12:21.602Z", "dateUpdated": "2026-04-08T17:01:21.805Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:21.805Z"}, "affected": [{"vendor": "oceanwp", "product": "Ocean Extra", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.4.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ocean_gallery_id\u2019 parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Classic Editor plugin must be installed and activated to exploit the vulnerability."}], "title": "Ocean Extra <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ocean_gallery_id'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7595a1f6-6923-4102-8efe-a414adebce65?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ocean-extra/tags/2.4.6/includes/metabox/gallery-metabox/gallery-metabox.php#L113"}, {"url": "https://plugins.trac.wordpress.org/browser/ocean-extra/tags/2.4.6/includes/metabox/gallery-metabox/gallery-metabox.php#L162"}, {"url": "https://plugins.trac.wordpress.org/changeset/3277977/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Muhammad Yudha - DJ"}], "timeline": [{"time": "2025-04-21T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-04-22T13:22:35.861883Z", "id": "CVE-2025-3458", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T13:22:45.929Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-3458", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-04-22T13:22:35.861883Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-04-22T13:22:42.609Z"}}], "cna": {"title": "Ocean Extra <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ocean_gallery_id'", "credits": [{"lang": "en", "type": "finder", "value": "muhammad yudha"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "oceanwp", "product": "Ocean Extra", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "2.4.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-04-21T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7595a1f6-6923-4102-8efe-a414adebce65?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/ocean-extra/tags/2.4.6/includes/metabox/gallery-metabox/gallery-metabox.php#L113"}, {"url": "https://plugins.trac.wordpress.org/browser/ocean-extra/tags/2.4.6/includes/metabox/gallery-metabox/gallery-metabox.php#L162"}, {"url": "https://plugins.trac.wordpress.org/changeset/3277977/"}], "descriptions": [{"lang": "en", "value": "The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ocean_gallery_id\u2019 parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Classic Editor plugin must be installed and activated to exploit the vulnerability."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-04-22T11:12:21.602Z"}}}, "cveMetadata": {"cveId": "CVE-2025-3458", "state": "PUBLISHED", "dateUpdated": "2025-04-22T13:22:45.929Z", "dateReserved": "2025-04-08T22:36:29.084Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-04-22T11:12:21.602Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oceanwp:ocean_extra:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "BC6D521C-0C9D-49F8-AB62-6FCD28233625", "versionEndExcluding": "2.4.7", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ocean_gallery_id\u2019 parameter in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The Classic Editor plugin must be installed and activated to exploit the vulnerability."}, {"lang": "es", "value": "El complemento Ocean Extra para WordPress es vulnerable a cross-site scripting almacenado, a trav\u00e9s del par\u00e1metro 'ocean_gallery_id' en todas las versiones hasta la 2.4.6 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada. El complemento Classic Editor debe estar instalado y activado para explotar esta vulnerabilidad."}], "id": "CVE-2025-3458", "lastModified": "2025-04-30T14:05:12.373", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-04-22T12:15:16.507", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/ocean-extra/tags/2.4.6/includes/metabox/gallery-metabox/gallery-metabox.php#L113"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/ocean-extra/tags/2.4.6/includes/metabox/gallery-metabox/gallery-metabox.php#L162"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3277977/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7595a1f6-6923-4102-8efe-a414adebce65?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T21:12:54.395892+00:00", "value": {"mitigation_remediation": ["Update the Ocean Extra plugin to the latest version that removes the vulnerability (any release newer than 2.4.6).", "If an update is not immediately possible, uninstall or disable the Classic Editor plugin so attackers cannot edit gallery metadata through the vulnerable code path.", "Review WordPress user roles and restrict Contributor and higher permissions to trusted users only; disable or limit gallery editing for contributors if not needed."], "summary": {"action": "Patch", "impact": "Stored XSS via ocean_gallery_id that allows authenticated users to inject scripts"}, "threat_synthesis": {"affected_systems": "WordPress sites running the Ocean Extra plugin version 2.4.6 or earlier are affected. The issue exists in all builds of the plugin up to that version, and the Classic Editor plugin must also be present. Updates beyond 2.4.6 remove the flaw, so the vulnerability does not apply to later releases.", "description_and_impact": "The Ocean Extra plugin for WordPress is vulnerable to Stored Cross\u2011Site Scripting (CWE\u201179) via the ocean_gallery_id parameter in all versions up to and including 2.4.6. Authenticated users with Contributor level or higher can inject arbitrary JavaScript that will run when a page containing the injected gallery is viewed. Because the scripts are stored in the database, all site visitors who load the injected gallery will execute the malicious code, potentially allowing data theft, session hijacking or defacement. The vulnerability requires the Classic Editor plugin to be installed and activated to function.", "risk_and_exploitability": "The CVSS base score of 6.4 indicates a medium severity vulnerability, while the EPSS score of less than 1% suggests a low likelihood of real\u2011world exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. An attacker needs Contributor or higher rights and enabled Classic Editor plugin, so the risk is confined to sites with permissive contributor roles. If those conditions are met, the attacker could inject malicious scripts that run for any site visitor, leading to cross\u2011site data theft or defacement."}}}}, "created": "2026-04-21T21:15:45.451083+00:00", "updated": "2026-04-21T21:15:45.451095+00:00", "vendors": []}