cleantalk
Vulnerabilities and Security Researches

Ocean Extra, CVE-2024-3167

CVE, Research URL

CVE-2024-3167

Home page URL

Security reports for Ocean Extra

Application

Ocean Extra

Published on
Apr 10, 2024
Research Description
The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘twitter_username’ parameter in versions up to, and including, 2.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
Min -, max 2.2.7.
Status
vulnerable
Previous vulnerability researches
Ocean Extra (CVE-2025-3458) , Apr 29, 2025
Ocean Extra (CVE-2022-4974) , Nov 14, 2024
Ocean Extra (CVE-2025-3457) , Apr 29, 2025
Ocean Extra (CVE-2019-16250) , Jun 07, 2024
Ocean Extra (CVE-2021-25104) , Jun 07, 2024
New vulnerability
Faculty Staff and Student Directory Plugin – Campus Directory (CVE-2025-8313) , Aug 06, 2025
Chartify – WordPress Chart Plugin (CVE-2025-54673) , Aug 05, 2025
Paid Membership Subscriptions – Effortless Memberships, Recurring Payments & Content Restriction (CVE-2025-54017) , Aug 05, 2025
Motors – Car Dealer, Classifieds & Listing (CVE-2025-54691) , Aug 05, 2025
Ebook Store (CVE-2025-54702) , Aug 05, 2025