Improper neutralization of user input during web page generation allows a stored cross‑site scripting (XSS) flaw in the Ocean Extra plugin. This weakness is a typical input validation error (CWE‑79) that can cause an attacker’s code to run in the browser of any victim who views a page containing the malicious data. The consequence is the potential compromise of confidentiality, integrity, or availability through cookie theft, session hijacking, defacement, or drive‑by infection, but it does not grant direct system control.

The vulnerability exists in the Ocean Extra WordPress plugin for versions from at least 2.4.8 and earlier. Only installations running the plugin at or below version 2.4.8 are affected.

The CVSS score of 6.5 rates the vulnerability as moderate, while the EPSS score of less than 1% indicates a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog, but it remains a valid attack surface. An attacker would need to inject malicious content that is subsequently stored and rendered—this could be achieved through any feature that accepts user‑supplied text, often requiring authenticated user privileges. Although the exploit is not trivial, patching is recommended to eliminate this stored XSS risk.