Ocean Extra — Plugin Vulnerabilities

Medium 6.1

2026-05-01< 2.4.4

CVE-2024-13362

CVE Wordfence

Medium 5.4

2026-04-07< 2.5.4

CVE-2026-34903

CVE Wordfence

Medium 6.4

2025-08-30< 2.5.0

Ocean Extra <= 2.4.9 - Authenticated (Contributor+) Stored Cross-Site Scripting via oceanwp_library Shortcode

EUVD Wordfence CVE

Medium 6.5

2025-06-06< 2.4.9

CVE-2025-49068

CVE EUVD Wordfence

Medium 6.4

2025-04-22< 2.4.7

Ocean Extra <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

EUVD Wordfence CVE

Medium 6.4

2025-04-22< 2.4.7

Ocean Extra <= 2.4.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'ocean_gallery_id'

EUVD Wordfence CVE

Medium 6.5

2025-04-22< 2.4.7

WordPress Ocean Extra Plugin <= 2.4.6 is vulnerable to Content Injection

Patchstack EUVD Wordfence CVE

Medium 6.3

2024-10-16< 1.9.4

Freemius SDK <= 2.4.2 - Missing Authorization Checks

CVE

Medium 5.4

2024-07-21< 2.3.0

CVE-2024-37489

CVE Patchstack Wordfence

Medium 6.4

2024-06-11< 2.2.9

CVE-2024-5531

CVE Patchstack Wordfence

Medium 6.4

2024-04-09< 2.2.7

CVE-2024-3167

CVE Wordfence Patchstack

Medium 5.4

2024-02-20< 2.2.5

CVE-2024-1277

CVE Wordfence Patchstack WPScan

Medium 5.4

2023-12-19< 2.2.3

CVE-2023-49164

CVE Patchstack WPScan

N/A

2023-11-28< 2.2.3

Ocean Extra <= 2.2.2 - Cross-Site Request Forgery to Arbitrary Plugin Activation

Wordfence

N/A

< 2.1.3

Ocean Extra < 2.1.3 - Contributor+ Stored XSS

WPScan

N/A

2023-07-18< 2.1.8

WordPress Ocean Extra Plugin <= 2.1.7 is vulnerable to Cross Site Scripting (XSS)

Patchstack WPScan CVE

Medium 4.3

2023-07-12< 1.6.6

CVE-2020-36760

CVE Wordfence

N/A

2023-06-07< 1.6.6

CVE-2021-4342

CVE

Medium 5.5

2023-03-30< 2.1.3

CVE-2023-24399

CVE Patchstack

Medium 6.5

2023-03-13< 2.1.3

CVE-2023-0749

CVE Patchstack Wordfence WPScan

N/A

2023-02-14< 2.1.3

Ocean Extra <= 2.1.2 - Authenticated (Contributor+) Stored Cross-Site Scripting

Wordfence

Medium 5.5

2023-04-06< 2.1.3

CVE-2023-23891

CVE Patchstack WPScan

N/A

2023-02-01< 2.1.2

Ocean Extra <= 2.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Wordfence

N/A

< 1.6.6

Various Affected Software (Various Versions) - Cross-Site Request Forgery Bypass

Wordfence

N/A

2022-03-04< 1.9.4

Freemius SDK <= 2.4.2 - Missing Authorization Checks

Wordfence

High 7.2

2022-10-31< 2.0.5

CVE-2022-3374

CVE Patchstack Wordfence WPScan

N/A

< 1.9.4

Unauthorised AJAX Calls via Freemius

WPScan

Medium 6.1

2025-10-03< 1.9.5

CVE-2021-25104

EUVD CVE Patchstack Wordfence WPScan

N/A

2019-07-04< 1.5.9

WordPress Ocean Extra plugin <= 1.5.8 - Unauthenticated CSS injection vulnerability

Patchstack

N/A

2019-07-04< 1.5.9

WordPress Ocean Extra plugin <= 1.5.8 - Unauthenticated Settings change vulnerability

Patchstack

N/A

2020-09-16< 1.6.6

WordPress Ocean Extra plugin <= 1.6.5 - Cross-Site Request Forgery (CSRF) vulnerability

Patchstack

N/A

2022-02-28< 1.9.4

WordPress Ocean Extra plugin < 1.9.4 - Sensitive Information Disclosure vulnerability

Patchstack

N/A

2022-02-28< 1.9.4

WordPress Ocean Extra plugin < 1.9.4 - Toggle The Debug Mode via Cross-Site Request Forgery (CSRF) vulnerability

Patchstack

High 7.5

2019-09-11< 1.5.9

CVE-2019-16250

CVE Wordfence WPScan