cleantalk
Vulnerabilities and Security Researches

OceanWP, CVE-2025-8891

CVE, Research URL

CVE-2025-8891

Home page URL

Security reports for OceanWP

Application

OceanWP

Published on
Aug 13, 2025
Research Description
The OceanWP theme for WordPress is vulnerable to Cross-Site Request Forgery in versions 4.0.9 to 4.1.1. This is due to missing or incorrect nonce validation on the oceanwp_notice_button_click() function. This makes it possible for unauthenticated attackers to install the Ocean Extra plugin via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Affected versions
Min 4.0.9, max 4.1.2.
Status
vulnerable
Previous vulnerability researches
Menu Cart for WooCommerce (a29e30b7f291ef425db21c107fa671ede0cf99d0) , Jun 07, 2024
New vulnerability
OOPSpam Anti-Spam (CVE-2026-32544) , Mar 31, 2026
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor (CVE-2026-27042) , Mar 31, 2026
The Conference (CVE-2026-32335) , Mar 31, 2026
WP Booking System – Booking Calendar (CVE-2025-68515) , Mar 31, 2026
UPI QR Code Payment Gateway for WooCommerce (CVE-2025-67969) , Mar 31, 2026