cleantalk
Vulnerabilities and Security Researches

OceanWP, CVE-2025-8891

CVE, Research URL

CVE-2025-8891

Home page URL

Security reports for OceanWP

Application

OceanWP

Published on
Aug 13, 2025
Research Description
The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwp_notice_button_click() function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
Min 4.0.9, max 4.1.2.
Status
vulnerable
Previous vulnerability researches
ReFlex Gallery » WordPress Photo Gallery (CVE-2015-4133) , Jun 06, 2024
ReFlex Gallery » WordPress Photo Gallery (CVE-2013-7482) , Jun 06, 2024
ReFlex Gallery » WordPress Photo Gallery (CVE-2013-6837) , Jun 06, 2024
New vulnerability
Easy Form Builder (CVE-2025-54678) , Aug 14, 2025
WooCommerce Affiliate Plugin – Coupon Affiliates (CVE-2025-54025) , Aug 14, 2025
RT Easy Builder – Advanced addons for Elementor (CVE-2025-8462) , Aug 14, 2025
Database for Contact Form 7, WPforms, Elementor forms (CVE-2025-7384) , Aug 14, 2025
Eventer (CVE-2025-39483) , Aug 14, 2025