Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OceanWP Ocean Product Sharing allows Stored XSS.

This issue affects Ocean Product Sharing: from n/a through 2.2.2.
Published: 2026-06-18
Score: 5.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw caused by improper neutralization of input during web page generation. When user‑provided data is persisted by the Ocean Product Sharing plugin and later rendered, an attacker can inject malicious JavaScript that executes in the browsers of visitors to the affected WordPress site. This can lead to defacement, credential theft, or redirection to phishing sites, compromising confidentiality and integrity for all users who view the affected content. The flaw does not directly expose data to the attacker, but the injected script can harvest session cookies or perform other client‑side attacks.

Affected Systems

The affected system is the WordPress Ocean Product Sharing plugin from OceanWP. Versions up to and including 2.2.2 are vulnerable; all releases prior to the first available version are also affected. The specific product is the Ocean Product Sharing add‑on used to display product information on WordPress sites.

Risk and Exploitability

The CVSS score of 5.9 places this issue in the medium severity range, indicating a meaningful threat to the affected sites. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation at this time. The most likely attack vector is via the plugin’s data submission interface, where possibly an authenticated or unauthenticated user can submit persistent input that later appears on public pages. Because the flaw is stored, an attacker only needs to get the malicious content into the system once; it then affects all site visitors who view the stored data.

Generated by OpenCVE AI on June 18, 2026 at 19:47 UTC.

Remediation

Vendor Solution

Update the WordPress Ocean Product Sharing Plugin to the latest available version (at least 2.2.3).


OpenCVE Recommended Actions

  • Update the Ocean Product Sharing plugin to version 2.2.3 or newer so the input sanitization flaw is fixed.
  • If an immediate update is not possible, disable or remove any feature that accepts and stores user input until the patch is applied.
  • Configure a web application firewall or content security policy to detect and block typical XSS payloads in product sharing fields.

Generated by OpenCVE AI on June 18, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Oceanwp
Oceanwp ocean Product Sharing
Wordpress
Wordpress wordpress
Vendors & Products Oceanwp
Oceanwp ocean Product Sharing
Wordpress
Wordpress wordpress

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OceanWP Ocean Product Sharing allows Stored XSS. This issue affects Ocean Product Sharing: from n/a through 2.2.2.
Title WordPress Ocean Product Sharing plugin <= 2.2.2 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Subscriptions

Oceanwp Ocean Product Sharing
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-18T15:54:19.334Z

Reserved: 2026-06-18T09:31:56.470Z

Link: CVE-2026-56007

cve-icon Vulnrichment

Updated: 2026-06-18T15:54:14.629Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:42:04Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')