🧹It's time for some spring cleaning! All researchers earn over 6.25x our normal bounty rates, through May 27th, 2024, when Wordfence handles responsible disclosure for our Spring Cleaning Bug Extravaganza! Learn more about our bug bounty program
Register as a researcher and submit your vulnerabilities today!

Ocean Extra

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > Ocean Extra

Information

Software Type	Plugin
Software Slug	ocean-extra (view on wordpress.org)
Software Status	Active
Software Author	oceanwp
Software Website	oceanwp.org
Software Downloads	20,763,749
Software Active Installs	700,000
Software Record Last Updated	May 18, 2024

12 Vulnerabilities

Ocean Extra <= 2.2.2 - Cross-Site Request Forgery to Arbitrary Plugin Activation

4.3

CVE-2023-49164

Nov 28, 2023

Researcher: Dave Jong

Ocean Extra <=1.6.5 - Cross-Site Request Forgery Bypass

4.3

CVE-2020-36760

Sep 26, 2020

Researcher: Jerome Bruandet

Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get

6.1

CVE-2023-33999

Jul 18, 2023

Researcher: Rafie Muhammad

Ocean Extra <= 1.9.4 - Reflected Cross-Site Scripting

6.1

CVE-2021-25104

May 24, 2022

Researcher: ZhongFu Su

Freemius SDK <= 2.4.2 - Missing Authorization Checks

6.3

CVE ID Unknown

Mar 4, 2022

Researchers:

Ocean Extra <= 2.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-3167

Apr 8, 2024

Researcher: wesley (wcraft)

Ocean Extra <= 2.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2024-1277

Feb 16, 2024

Researcher: Webbernaut

Ocean Extra <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2023-24399

Feb 14, 2023

Researcher: Erwan LR

Ocean Extra <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2023-23891

Feb 1, 2023

Researcher: Rafshanzani Suhada

Ocean Extra <= 2.1.2 - Authenticated (Subscriber+) Arbitrary Post Access

6.5

CVE-2023-0749

Feb 14, 2023

Researcher: Erwan LR

Ocean Extra <= 2.0.4 - Authenticated (Administrator+) PHP Object Injection

7.2

CVE-2022-3374

Oct 10, 2022

Researcher: Nguyen Duy Quoc Khanh

Ocean Extra <= 1.5.7 - Unauthenticated Options update and CSS injection

7.5

CVE-2019-16250

Jul 3, 2019

Researcher: Jerome Bruandet

Title	Status	CVE ID	CVSS	Researchers	Date
Ocean Extra <= 2.2.2 - Cross-Site Request Forgery to Arbitrary Plugin Activation	Patched	CVE-2023-49164	4.3	Dave Jong	November 28, 2023
Ocean Extra <=1.6.5 - Cross-Site Request Forgery Bypass	Patched	CVE-2020-36760	4.3	Jerome Bruandet	September 26, 2020
Freemius SDK <= 2.5.9 - Reflected Cross-Site Scripting via fs_request_get	Patched	CVE-2023-33999	6.1	Rafie Muhammad	July 18, 2023
Ocean Extra <= 1.9.4 - Reflected Cross-Site Scripting	Patched	CVE-2021-25104	6.1	ZhongFu Su	May 24, 2022
Freemius SDK <= 2.4.2 - Missing Authorization Checks	Patched		6.3		March 4, 2022
Ocean Extra <= 2.2.6 - Authenticated (Contributor+) Stored Cross-Site Scripting	Patched	CVE-2024-3167	6.4	wesley (wcraft)	April 8, 2024
Ocean Extra <= 2.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting	Patched	CVE-2024-1277	6.4	Webbernaut	February 16, 2024
Ocean Extra <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting	Patched	CVE-2023-24399	6.4	Erwan LR	February 14, 2023
Ocean Extra <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	Patched	CVE-2023-23891	6.4	Rafshanzani Suhada	February 1, 2023
Ocean Extra <= 2.1.2 - Authenticated (Subscriber+) Arbitrary Post Access	Patched	CVE-2023-0749	6.5	Erwan LR	February 14, 2023
Ocean Extra <= 2.0.4 - Authenticated (Administrator+) PHP Object Injection	Patched	CVE-2022-3374	7.2	Nguyen Duy Quoc Khanh	October 10, 2022
Ocean Extra <= 1.5.7 - Unauthenticated Options update and CSS injection	Patched	CVE-2019-16250	7.5	Jerome Bruandet	July 3, 2019

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation