CVE-2025-3472

MEDIUM NUCLEI

Oceanwp Ocean Extra < 2.4.7 - Code Injection

Title source: rule

Description

The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes when WooCommerce is also installed and activated.

Nuclei Templates (1)

Ocean Extra <= 2.4.6 - Unauthenticated Shortcode Execution

MEDIUMVERIFIEDby theamanrawat

Shodan: http.html:"oceanwp" http.html:"woocommerce"

FOFA: body="oceanwp" && body="woocommerce"

References (3)

[Product] https://plugins.trac.wordpress.org/browser/ocean-extra/trunk/includes/shortcodes/shortcodes.php#L618

[Patch] https://plugins.trac.wordpress.org/changeset/3277977/

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/74428e76-1946-408f-8adc-24ab4b7e46c5?source=cve

Scores

CVSS v3 6.5

EPSS 0.1727

EPSS Percentile 95.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Details

CWE

CWE-94

Status published

Products (2)

oceanwp/Ocean Extra < 2.4.6

oceanwp/ocean_extra < 2.4.7

Published Apr 22, 2025

Tracked Since Feb 18, 2026