Ocean Extra < 2.4.9 – Authenticated (Contributor+) Stored Cross-Site Scripting | CVE 2025-49068 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 2.4.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Fixed in 2.4.9

References

CVE

URL

https://patchstack.com/database/wordpress/plugin/ocean-extra/vulnerability/wordpress-ocean-extra-plugin-2-4-8-cross-site-scripting-xss-vulnerability

Classification

Type

XSS

OWASP top 10

A7: Cross-Site Scripting (XSS)

CWE

CVSS

Miscellaneous

Original Researcher

Asaf Mozes

Verified

No

WPVDB ID

109674e7-93d4-419e-a844-a338fc8185eb

Timeline

Publicly Published

2025-06-02 (about 7 months ago)

Added

2025-07-09 (about 5 months ago)

Last Updated

2025-07-09 (about 5 months ago)

Other

Published

Title

Published

2025-01-16

Title

The Great Firewords of China <= 1.2 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Published

2024-08-09

Title

Kodex Posts likes <= 2.5.0 - Reflected Cross-Site Scripting

Published

2020-01-22

Title

Ultimate Addons for Beaver Builder < 1.25.0 - Cross-Site Scripting (XSS)

Published

2023-02-15

Title

Ultimate WP Query Search Filter <= 1.0.10 - Contributor+ XSS

Published

2018-04-04

Title

My Calendar <= 2.5.16 - Authenticated Cross-Site Scripting (XSS)