Ocean Extra, a WordPress plugin by OceanWP, has a missing authorization check that allows attackers to exploit incorrectly configured access control levels. The vulnerability is classified as CWE-862 – Missing Authorization. If an attacker obtains this flaw, they could gain privileged operations within the plugin’s administrative interface, potentially accessing or modifying sensitive site data and configuration settings. The impact is the accidental or malicious escalation of privileges to a level that is normally restricted to site administrators or trusted users.

The problem affects Ocean Extra plugin versions up to and including 2.5.3. WordPress sites that have installed Ocean Extra within this version range are susceptible. The precise scope is limited to sites running WordPress with the plugin present, but because the plugin interfaces with the site’s core administrative functions, the compromise can reach the entire site. Any user who can authenticate to the site with a role that receives permission to use the plugin could potentially exploit the flaw.

The CVSS score for this vulnerability is 5.4, indicating a medium severity. There is no EPSS data available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is an authenticated attacker navigating the plugin’s UI, where the missing authorization allows bypassing role-based restrictions. Because the vulnerability hinges on a configuration oversight rather than a network-facing flaw, the risk profile is primarily internal, but any compromised credentials or social engineering that yields a legitimate WordPress login can lead to exploitation. Site owners should treat the risk as moderate and mitigate promptly.