Source: https://www.searchenginejournal.com/wordpress-ocean-extra-vulnerability-affects-up-to-600000-sites/554900/
According to Roger Montti at Search Engine Journal, A newly disclosed vulnerability in the Ocean Extra plugin used on more than 600,000 WordPress websites could allow attackers to launch a Stored Cross-Site Scripting (XSS) attack.
What Happened
The flaw affects Ocean Extra versions up to and including 2.4.9. According to a Wordfence advisory, the issue stems from insufficient input sanitization and output escaping. These missing protections make it possible for malicious scripts to be stored and then executed when visitors access a compromised page.
Why It Matters
Ocean Extra is developed by oceanwp and extends the popular OceanWP WordPress theme, adding features like custom widgets, enhanced navigation menus, and local font hosting. Since the plugin is tightly integrated with a widely used theme, the potential impact is significant.
While the exploit requires Contributor-level access or higher, sites with multiple authors or contributors are particularly at risk.
The Fix
The vulnerability is limited to authenticated users with contributor-level permissions or higher, meaning not every site visitor is able to exploit it. Still, Montti noted that versions up to and including 2.4.9 are affected. Wordfence, which originally documented the flaw, recommends updating immediately to version 2.5.0 to close the gap.