CVE-2025-3472 - Vulnerability Details

- Ocean Extra <= 2.4.6 - Unauthenticated Arbitrary Shortcode Execution

Description

The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes when WooCommerce is also installed and activated.

Published: 2025-04-22

Score: 6.5 Medium

EPSS: 17.3% Moderate

KEV: No

Impact:

Action:

Analysis

Impact

The Ocean Extra plugin contains a flaw that permits unauthenticated users to execute arbitrary shortcodes. The flaw arises because the plugin calls a function that runs user‑supplied data through do_shortcode without properly validating the value. Because shortcodes can run PHP functions, this defect enables an attacker to run arbitrary code on the host.

Affected Systems

All release versions of the Ocean Extra plugin for WordPress up to and including 2.4.6 are affected, and the vulnerability is only exploitable when WooCommerce is also installed and activated.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, denoting a moderate impact, and an EPSS of 17%, indicating a notable likelihood of exploitation. It is not currently listed in the CISA KEV catalog. Attackers can exploit the lack of input validation by injecting a malicious shortcode string that the platform then executes with the privileges of the WordPress site, potentially leading to full code execution, data exfiltration, or service disruption.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

oceanwp

Ocean Extra

unaffected

Version	Status	Constraints
`0`	affected	≤ 2.4.6

Configuration 1 [-]

cpe:2.3:a:oceanwp:ocean_extra:*:*:*:*:*:wordpress:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Ocean Extra plugin to the latest available version that eliminates the flaw.
If an upgrade cannot be performed immediately, temporarily deactivate WooCommerce or prevent it from being active on the site until the issue is patched.
Implement input‑validation or content‑restriction measures that restrict shortcode execution to trusted users only, mitigating the risk of arbitrary code execution through unvalidated shortcodes.

Generated by OpenCVE AI on April 21, 2026 at 21:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-12293	The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes when WooCommerce is also installed and activated.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.17273.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/ocean-extra/trunk/includes/shortcodes/shortcodes.php#L618
https://plugins.trac.wordpress.org/changeset/3277977/
https://www.wordfence.com/threat-intel/vulnerabilities/id/74428e76-1946-408f-8adc-24ab4b7e46c5?source=cve

History

Wed, 30 Apr 2025 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Oceanwp Oceanwp ocean Extra
CPEs		cpe:2.3:a:oceanwp:ocean_extra::::::wordpress::*
Vendors & Products		Oceanwp Oceanwp ocean Extra

Tue, 22 Apr 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 22 Apr 2025 11:30:00 +0000

Type	Values Removed	Values Added
Description		The Ocean Extra plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.4.6. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes when WooCommerce is also installed and activated.
Title		Ocean Extra <= 2.4.6 - Unauthenticated Arbitrary Shortcode Execution
Weaknesses		CWE-94
References		https://plugins.trac.wordpress.org/browser/ocean-extra/trunk/includes/shortcodes/shortcodes.php#L618 https://plugins.trac.wordpress.org/changeset/3277977/ https://www.wordfence.com/threat-intel/vulnerabilities/id/74428e76-1946-408f-8adc-24ab4b7e46c5?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Oceanwp Ocean Extra

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-04-22T11:12:21.180Z

Updated: 2026-04-08T17:01:06.675Z

Reserved: 2025-04-09T15:08:09.560Z

Link: CVE-2025-3472

Vulnrichment

Updated: 2025-04-22T13:23:06.724Z

NVD

Status : Analyzed

Published: 2025-04-22T12:15:16.657

Modified: 2025-04-30T14:01:15.660

Link: CVE-2025-3472

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T21:15:45Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object