Ocean Modal Window < 2.3.3 – Editor+ Remote Code Execution via Modal Conditions | CVE 2025-13307

Description

The plugin is vulnerable to Remote Code Execution via the modal display logic. These modals can be displayed under user-controlled conditions that Editors and Administrators can set (edit_pages capability). The conditions are then executed as part of an eval statement executed on every site page. This leads to remote code execution.

Proof of Concept

1) Install the OceanWP theme that is required for the plugin
2) Install the ocean-modal-window plugin
3) Login to WordPress as superadmin and follow theme setup wizard
4) Setup as new site and select any free template from OceanWP
5) After the theme is configured, login as editor
6) Click on Modal tab -> Add New Item in the WP Admin dashboard
7) Add any title and content to the post
8) Enable Burp intercept and click Publish
9) Observe the POST `/wp-json/wp/v2/ocean_modal_window/[SOME_ID]` request
10) Add the meta field with the mw_display_on value containing an RCE payload:
```
"meta":{"mw_display_on":["system('sleep 5')"]}
```
Request body should look like:
```
{"id":745,"title":"test",
"meta":{"mw_display_on":["system('sleep 5')"]},"content":"<!-- wp:paragraph -->\n<p>test</p>\n<!-- /wp:paragraph -->\n\n<!-- wp:paragraph -->\n<p></p>\n<!-- /wp:paragraph -->","status":"publish"}
```
11) Forward this request. Then disable interception to forward the rest.
12) Now go to any page in the site and notice the 5-second delay.

The `mw_hide_on` meta variable is similarly vulnerable.