Ocean Extra < 2.2.3 – Cross-Site Request Forgery to Arbitrary Plugin Activation | CVE 2023-49164 | Plugin Vulnerabilities

Description

The Ocean Extra plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.2.2. This is due to missing or incorrect nonce validation on the ajax_required_plugins_activate() function. This makes it possible for unauthenticated attackers to activate arbitrary plugins via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Fixed in 2.2.3

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/ac111175-2059-41dc-afa2-a659da3adaca

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Dave Jong

Verified

No

WPVDB ID

c9981d62-068a-403b-a008-f90248e16917

Timeline

Publicly Published

2023-11-28 (about 2 years ago)

Added

2023-12-07 (about 2 years ago)

Last Updated

2023-12-07 (about 2 years ago)

Other

Published

Title

Published

2023-09-25

Title

BEAR for WordPress < 1.1.4 - Arbitrary Settings Update via CSRF

Published

2025-03-04

Title

I Am Gloria <= 1.1.4 - Cross-Site Request Forgery

Published

2025-06-05

Title

Interactive Regional Map of Africa <= 1.0 - Cross-Site Request Forgery

Published

2023-09-01

Title

Responsive Gallery Grid < 2.3.14 - Settings Update via CSRF

Published

2021-04-22

Title

Multiple WP-Buy Plugins - Arbitrary Plugin Installation/Activation via CSRF