Themes Vulnerabilities

OceanWP < 4.1.0 - Contributor+ Stored XSS via Select HTML Tag

Description

The theme is vulnerable to Stored Cross-Site Scripting via the Select HTML tag due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Themes

oceanwp
Fixed in 4.1.0

References

CVE
CVE-2025-5524
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/37b085f9-3b15-44aa-9ba0-de5321dfbce4

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
4.9 (medium)

Miscellaneous

Original Researcher
Asaf Mozes
Verified
No
WPVDB ID
81ea1b70-8582-4aa0-a60f-27f38078b8da

Timeline

Publicly Published
2025-06-18 (about 9 months ago)
Added
2025-06-19 (about 9 months ago)
Last Updated
2025-06-19 (about 9 months ago)

Other

Published
Title
Published
2022-08-29
Title
Zephyr Project Manager < 3.2.5 - Unauthorised REST Calls to Stored XSS
Published
2014-08-01
Title
LBG Zoominoutslider - settings_form.php Multiple Parameter Stored XSS
Published
2025-07-10
Title
FooGallery – Responsive Photo Gallery, Image Viewer, Justified, Masonry & Carousel < 2.4.32 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
Published
2025-01-16
Title
Google Map on Post/Page <= 1.1 - Reflected Cross-Site Scripting
Published
2023-11-10
Title
Sponsors <= 3.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode