Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2021-25104

CWE-79Cross-site Scripting (XSS)4 documents4 sources
Severity
6.1MEDIUM
EPSS
3.4%
top 12.61%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
2
Unknown Ocean ExtraOceanwp Ocean Extra
Timeline
PublishedJun 20
Latest updateJun 21

Description

The Ocean Extra WordPress plugin before 1.9.5 does not escape generated links which are then used when the OceanWP is active, leading to a Reflected Cross-Site Scripting issue

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

NVDoceanwp/ocean_extra< 1.9.5
CVEListV5unknown/ocean_extra1.9.51.9.5

🔴Vulnerability Details

2
GHSA
GHSA-gw6m-mhpj-9hgf: The Ocean Extra WordPress plugin before 12022-06-21
CVEList
Ocean Extra < 1.9.5 - Reflected Cross-Site Scripting2022-06-20

💥Exploits & PoCs

1
Nuclei
WordPress Ocean Extra <1.9.5 - Cross-Site Scripting
CVE-2021-25104 (MEDIUM CVSS 6.1) | The Ocean Extra WordPress plugin be | cvebase.io