cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches foroceanwp oceanwp

Direction: ascending
Jun 10, 2024

OceanWP # CVE-2024-2476

CVE, Research URL

CVE-2024-2476

Home page URL

Security reports for OceanWP

Application

OceanWP

Date
Mar 29, 2024
Research Description
The OceanWP theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_theme_panel_pane function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose sensitive information such as system/environment data and API keys.
Affected versions
Min -, max -.
Status
vulnerable

OceanWP # CVE-2023-23700

CVE, Research URL

CVE-2023-23700

Home page URL

Security reports for OceanWP

Application

OceanWP

Date
May 17, 2024
Research Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OceanWP allows PHP Local File Inclusion.This issue affects OceanWP: from n/a through 3.4.1.
Affected versions
Min -, max -.
Status
vulnerable
Jul 02, 2025

OceanWP # CVE-2025-5524

CVE, Research URL

CVE-2025-5524

Home page URL

Security reports for OceanWP

Application

OceanWP

Date
Jun 19, 2025
Research Description
The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max -.
Status
vulnerable
Aug 14, 2025

OceanWP # CVE-2025-8891

CVE, Research URL

CVE-2025-8891

Home page URL

Security reports for OceanWP

Application

OceanWP

Date
Aug 13, 2025
Research Description
The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwp_notice_button_click() function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
Min -, max -.
Status
vulnerable