Every CVE whose affected-product data names Oceanwp Ocean Extra, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (14)
CVE-2019-16250 — CVSS 7.5 (high): includes/wizard/wizard.php in the Ocean Extra plugin through 1.5.8 for WordPress allows unauthenticated options changes and injection of a…
CVE-2022-3374 — CVSS 7.2 (high): The Ocean Extra WordPress plugin before 2.0.5 unserialises the content of an imported file, which could lead to PHP object injections…
CVE-2025-3472 — CVSS 6.5 (medium): The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is…
CVE-2023-0749 — CVSS 6.5 (medium): The Ocean Extra WordPress plugin before 2.1.3 does not ensure that the template to be loaded via a shortcode is actually a template…
CVE-2024-37489 — CVSS 6.5 (medium): Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OceanWP Ocean Extra allows…
CVE-2025-3458 — CVSS 6.4 (medium): The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ocean_gallery_id’ parameter in all versions up…
CVE-2024-1277 — CVSS 6.4 (medium): The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via custom fields in all versions up to, and including…
CVE-2024-3167 — CVSS 6.4 (medium): The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘twitter_username’ parameter in versions up…
CVE-2025-3457 — CVSS 6.4 (medium): The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'oceanwp_icon' shortcode in all versions…
CVE-2021-25104 — CVSS 6.1 (medium): The Ocean Extra WordPress plugin before 1.9.5 does not escape generated links which are then used when the OceanWP is active, leading to a…
CVE-2023-24399 — CVSS 5.5 (medium): Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in OceanWP Ocean Extra plugin <= 2.1.2 versions.
CVE-2023-23891 — CVSS 5.5 (medium): Auth. (contributor+) Stored Cross-Site Scripting (XSS) vulnerability in OceanWP Ocean Extra plugin <= 2.1.1 versions. Needs the OceanWP…
CVE-2023-49164 — CVSS 5.4 (medium): Cross-Site Request Forgery (CSRF) vulnerability in OceanWP Ocean Extra.This issue affects Ocean Extra: from n/a through 2.2.2.
CVE-2020-36760 — CVSS 4.3 (medium): The Ocean Extra plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.6.5]. This is due to…