Ocean Extra XSS May Expose Up to 600,000 WordPress Sites - Are You Affected?

WordPress Ocean Extra vulnerability affects up to 600,000 sites

The flaw allows malicious scripts to be stored in site content and executed in users' browsers. It stems from insufficient input sanitization and output escaping in the oceanwp_library shortcode.

Exploitation requires an authenticated user with contributor-level access or higher to insert a payload via shortcode parameters. The payload persists in content and executes when a page or post is viewed.

Versions up to and including 2.4.9 are impacted. Version 2.5.0 is available and addresses the issue. Wordfence has published an advisory with technical details and recommended mitigation.

Key details

• Affected plugin: Ocean Extra by OceanWP
• Vulnerability type: authenticated stored cross-site scripting (XSS)
• Attack vector: oceanwp_library shortcode parameters
• Impacted versions: up to and including 2.4.9
• Fixed version available: 2.5.0
• Required permissions: contributor role or higher
• Plugin purpose: companion plugin extending the OceanWP theme
• Install base: up to 600,000 sites, per WordPress.org listing
• Plugin slug: ocean-extra

Background

Ocean Extra extends the OceanWP theme with features like local font hosting, additional widgets, and navigation options. Its shortcode system lets users embed library items in content, but improper handling of shortcode attributes can enable script injection.

Stored XSS persists malicious payloads that execute in a viewer's browser. WordPress coding standards emphasize validating inputs and escaping outputs to prevent this risk. The contributor role can write posts but cannot publish them, while editors and administrators have broader capabilities. This vulnerability requires authenticated access consistent with those roles.

Source citations

• Ocean Extra - WordPress.org plugin directory
• advisory from Wordfence