Ocean Extra < 2.4.9 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-49068 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 2.4.9

References

CVE

URL

https://patchstack.com/database/wordpress/plugin/ocean-extra/vulnerability/wordpress-ocean-extra-plugin-2-4-8-cross-site-scripting-xss-vulnerability

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Asaf Mozes

Verified

No

WPVDB ID

109674e7-93d4-419e-a844-a338fc8185eb

Timeline

Publicly Published

2025-06-02 (about 7 months ago)

Added

2025-07-09 (about 5 months ago)

Last Updated

2025-07-09 (about 5 months ago)

Other

Published

Title

Published

2025-05-02

Title

Crossword Compiler Puzzles <= 14.5 - Subscriber+ Stored XSS

Published

2021-01-06

Title

Advanced Custom Fields < 5.8.12 - Cross-Site Scripting in Select2 dropdowns

Published

2014-08-01

Title

cleeng <= 2.3.2 - XSS in ZeroClipboard

Published

2024-12-20

Title

Multi-column Tag Map < 17.0.34 - Authenticated (Contributor+) Stored Cross-Site Scripting via mctagmap Shortcode

Published

2022-08-31

Title

Generate PDF using Contact Form 7 < 3.6 - Admin+ Stored Cross-Site Scripting