{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5524", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-03T11:46:54.223Z", "datePublished": "2025-06-19T04:25:19.424Z", "dateUpdated": "2026-04-08T16:46:24.626Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:46:24.626Z"}, "affected": [{"vendor": "oceanwp", "product": "OceanWP", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.0.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "OceanWP <= 4.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Select HTML Tag", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37b085f9-3b15-44aa-9ba0-de5321dfbce4?source=cve"}, {"url": "https://themes.trac.wordpress.org/browser/oceanwp/4.0.9/assets/js/select.min.js"}, {"url": "https://themes.trac.wordpress.org/changeset/276114/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "timeline": [{"time": "2025-05-29T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-06-18T16:22:13.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-20T12:38:19.975128Z", "id": "CVE-2025-5524", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T13:11:57.382Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5524", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-20T12:38:19.975128Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-20T12:38:21.014Z"}}], "cna": {"title": "OceanWP <= 4.0.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via Select HTML Tag", "credits": [{"lang": "en", "type": "finder", "value": "Asaf Mozes"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "oceanwp", "product": "OceanWP", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.0.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-05-29T00:00:00.000+00:00", "value": "Discovered"}, {"lang": "en", "time": "2025-06-18T16:22:13.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37b085f9-3b15-44aa-9ba0-de5321dfbce4?source=cve"}, {"url": "https://themes.trac.wordpress.org/browser/oceanwp/4.0.9/assets/js/select.min.js"}, {"url": "https://themes.trac.wordpress.org/changeset/276114/"}], "descriptions": [{"lang": "en", "value": "The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-06-19T04:25:19.424Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5524", "state": "PUBLISHED", "dateUpdated": "2025-06-20T13:11:57.382Z", "dateReserved": "2025-06-03T11:46:54.223Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-19T04:25:19.424Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}, {"lang": "es", "value": "El tema OceanWP para WordPress es vulnerable a Cross-site Scripting almacenado a trav\u00e9s de la etiqueta Select HTML en todas las versiones hasta la 4.0.9 incluida, debido a una depuraci\u00f3n de entrada y un escape de salida insuficientes. Esto permite a atacantes autenticados, con acceso de colaborador o superior, inyectar scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n al acceder un usuario a una p\u00e1gina inyectada."}], "id": "CVE-2025-5524", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-06-19T05:15:23.570", "references": [{"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/browser/oceanwp/4.0.9/assets/js/select.min.js"}, {"source": "security@wordfence.com", "url": "https://themes.trac.wordpress.org/changeset/276114/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/37b085f9-3b15-44aa-9ba0-de5321dfbce4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:08:54.278632+00:00", "value": {"mitigation_remediation": ["Update the OceanWP theme to the latest release (version 4.1 or higher); this removes the vulnerable Select HTML handling.", "Remove or replace any page or post content that contains injected script tags recorded during the period before the patch was applied.", "Restrict the permissions of Contributor\u2011level users until a full audit and confirmation of no remaining XSS payloads has been completed, and enable two\u2011factor authentication for accounts with elevated privileges."], "summary": {"action": "Patch Theme", "impact": "Stored Cross\u2011Site Scripting (CWE\u201179)"}, "threat_synthesis": {"affected_systems": "All installations of OceanWP theme with version 4.0.9 or earlier are affected. The problem exists in the theme\u2019s JavaScript handling of the Select HTML tag within the content editor. Users running any OceanWP build up to and including 4.0.9 are at risk unless they have verified that the code has been patched.", "description_and_impact": "OceanWP, a WordPress theme, permits authenticated contributors or higher roles to insert arbitrary JavaScript through the Select HTML tag. The insufficient input sanitization allows a stored XSS payload to be persisted in page content, which executes in every user\u2019s browser when the page is viewed. This can lead to defacement, credential theft or further session hijacking on victim sites, compromising the confidentiality and integrity of site users.", "risk_and_exploitability": "The CVSS score of 4.9 reflects a moderate impact when an authorized contributor injects malicious script. The EPSS score of less than 1% indicates a low likelihood of exploitation at present, and the vulnerability is not listed in the CISA KEV catalog. Exploitability requires valid Contributor\u2011level credentials and the ability to edit or create content. Attackers could leverage the vulnerability to target visitors across the site, but broad, remote exploitation is limited to accounts with sufficient role permissions."}}}}, "created": "2026-04-21T20:15:44.575959+00:00", "updated": "2026-04-21T20:15:44.575976+00:00", "vendors": []}