CVE-2024-3167 — Cross-site Scripting in Ocean Extra

CWE-79 — Cross-site Scripting CWE-755 — Improper Handling of Exceptional Conditions4 documents4 sources

Severity

6.4MEDIUMNVD

EPSS

0.2%

top 58.50%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Oceanwp Ocean Extra

Timeline

PublishedApr 9

Latest updateOct 21

Description

The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘twitter_username’ parameter in versions up to, and including, 2.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NExploitability: 3.1 | Impact: 2.7

Affected Packages2 packages

▶NVDoceanwp/ocean_extra< 2.2.7

▶CVEListV5oceanwp/ocean_extra2.2.6

Patches

Patch: plugins.trac.wordpress.org ↗Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-8673-r45m-47g8: The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘twitter_username’ parameter in versions up to, and includin↗2024-04-09

▶

CVEList

Ocean Extra <= 2.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting↗2024-04-09

▶

📋Vendor Advisories

Red Hat

kernel: f2fs: fix to don't panic system for no free segment fault injection↗2024-10-21

▶