Vulnerabilities and security researches foroceanwp oceanwp

Jun 10, 2024

CVE, Research URL: CVE-2024-2476
Home page URL: Security reports for OceanWP
Application: OceanWP
Date: Mar 29, 2024
Research Description: The OceanWP theme for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_theme_panel_pane function in all versions up to, and including, 3.5.4. This makes it possible for authenticated attackers, with subscriber-level access and above, to expose sensitive information such as system/environment data and API keys.
Affected versions: Min -, max -.
Status: vulnerable

CVE, Research URL: CVE-2023-23700
Home page URL: Security reports for OceanWP
Application: OceanWP
Date: May 17, 2024
Research Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OceanWP allows PHP Local File Inclusion.This issue affects OceanWP: from n/a through 3.4.1.
Affected versions: Min -, max -.
Status: vulnerable

Jul 02, 2025

CVE, Research URL: CVE-2025-5524
Home page URL: Security reports for OceanWP
Application: OceanWP
Date: Jun 19, 2025
Research Description: The OceanWP theme for WordPress is vulnerable to Stored Cross-Site Scripting via the Select HTML tag in all versions up to, and including, 4.0.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable