Oceanwp Ocean Extra
16 CVEs affecting Oceanwp Ocean Extra. Latest disclosed: 2026-05-01. Critical: 0, High: 0.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-49068 | Medium | 6.5 | 2025-06-06 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in oceanwp Ocean Extra ocean-extra allows Stored XSS.This is… |
CVE-2025-3472 | Medium | 6.5 | 2025-04-22 | The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software al… |
CVE-2024-37489 | Medium | 6.5 | 2024-07-21 | Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OceanWP Ocean Extra allows Stored XSS.This issue a… |
CVE-2025-9499 | Medium | 6.4 | 2025-08-30 | The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's oceanwp_library shortcode in all versions up to, and includi… |
CVE-2025-3458 | Medium | 6.4 | 2025-04-22 | The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ocean_gallery_id’ parameter in all versions up to, and including, 2… |
CVE-2025-3457 | Medium | 6.4 | 2025-04-22 | The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'oceanwp_icon' shortcode in all versions up to, and includin… |
CVE-2024-5531 | Medium | 6.4 | 2024-06-11 | The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Flickr widget in all versions up to, and including, 2.2.8 due to insu… |
CVE-2024-3167 | Medium | 6.4 | 2024-04-09 | The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘twitter_username’ parameter in versions up to, and including, 2.2.6… |
CVE-2024-1277 | Medium | 6.4 | 2024-02-20 | The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom fields in all versions up to, and including, 2.2.4 due to insuffic… |
CVE-2022-4974 | Medium | 6.3 | 2024-10-16 | The Freemius SDK, as used by hundreds of WordPress plugin and theme developers, was vulnerable to Cross-Site Request Forgery and Information disclosure due to… |
CVE-2024-13362 | Medium | 6.1 | 2026-05-01 | Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient inp… |
CVE-2023-23891 | Medium | 5.5 | 2023-04-06 | Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in OceanWP Ocean Extra plugin <= 2.1.1 versions. Needs the OceanWP theme installed and act… |
CVE-2023-24399 | Medium | 5.5 | 2023-03-30 | Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in OceanWP Ocean Extra plugin <= 2.1.2 versions. |
CVE-2026-34903 | Medium | 5.4 | 2026-04-07 | Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ocean Ext… |
CVE-2023-49164 | Medium | 5.4 | 2023-12-19 | Cross-Site Request Forgery (CSRF) vulnerability in OceanWP Ocean Extra.This issue affects Ocean Extra: from n/a through 2.2.2. |
CVE-2020-36760 | Medium | 4.3 | 2023-07-12 | The Ocean Extra plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.5]. This is due to missing or incorrect… |