Impact
The vulnerability is a stored cross‑site scripting flaw caused by improper neutralization of input during web page generation. When user‑provided data is persisted by the Ocean Product Sharing plugin and later rendered, an attacker can inject malicious JavaScript that executes in the browsers of visitors to the affected WordPress site. This can lead to defacement, credential theft, or redirection to phishing sites, compromising confidentiality and integrity for all users who view the affected content. The flaw does not directly expose data to the attacker, but the injected script can harvest session cookies or perform other client‑side attacks.
Affected Systems
The affected system is the WordPress Ocean Product Sharing plugin from OceanWP. Versions up to and including 2.2.2 are vulnerable; all releases prior to the first available version are also affected. The specific product is the Ocean Product Sharing add‑on used to display product information on WordPress sites.
Risk and Exploitability
The CVSS score of 5.9 places this issue in the medium severity range, indicating a meaningful threat to the affected sites. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no known widespread exploitation at this time. The most likely attack vector is via the plugin’s data submission interface, where possibly an authenticated or unauthenticated user can submit persistent input that later appears on public pages. Because the flaw is stored, an attacker only needs to get the malicious content into the system once; it then affects all site visitors who view the stored data.
OpenCVE Enrichment