cleantalk
Vulnerabilities and Security Researches

OceanWP, CVE-2025-8891

CVE, Research URL

CVE-2025-8891

Home page URL

Security reports for OceanWP

Application

OceanWP

Published on
Aug 13, 2025
Research Description
The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwp_notice_button_click() function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
Min 4.0.9, max 4.1.2.
Status
vulnerable
Previous vulnerability researches
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg (CVE-2024-37264) , Jul 01, 2024
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg (CVE-2025-54053) , Aug 12, 2025
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg (CVE-2025-4206) , May 10, 2025
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg (CVE-2025-0394) , Jan 15, 2025
WordPress CRM, Email & Marketing Automation for WordPress | Award Winner — Groundhogg (CVE-2024-56289) , Jan 07, 2025
New vulnerability
Easy Form Builder (CVE-2025-54678) , Aug 14, 2025
WooCommerce Affiliate Plugin – Coupon Affiliates (CVE-2025-54025) , Aug 14, 2025
RT Easy Builder – Advanced addons for Elementor (CVE-2025-8462) , Aug 14, 2025
Database for Contact Form 7, WPforms, Elementor forms (CVE-2025-7384) , Aug 14, 2025
Eventer (CVE-2025-39483) , Aug 14, 2025