Ocean Extra Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1277 | WordPress Plugin Vulnerability Report 

Plugin Name: Ocean Extra

Key Information:

  • Software Type: Plugin
  • Software Slug: ocean-extra
  • Software Status: Active
  • Software Author: oceanwp
  • Software Downloads: 20,016,876
  • Active Installs: 700,000
  • Last Updated: February 27, 2024
  • Patched Versions: 2.2.5
  • Affected Versions: <= 2.2.4

Vulnerability Details:

  • Name: Ocean Extra <= 2.2.4
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-1277
  • CVSS Score: 6.4
  • Publicly Published: February 16, 2024
  • Researcher: Webbernaut
  • Description: The Ocean Extra plugin, integral to enhancing the functionality of OceanWP theme installations, has been identified as having a stored cross-site scripting (XSS) vulnerability in versions up to 2.2.4. The flaw arises from insufficient input sanitization and output escaping mechanisms within the plugin's custom fields, enabling authenticated users with at least contributor-level permissions to execute arbitrary web scripts. These scripts can then run on the pages accessed by unsuspecting users, posing significant security risks.


Ocean Extra, a widely used companion plugin for the OceanWP theme, enhancing its customizability and features, has been found vulnerable to a stored XSS attack. The vulnerability, identified in versions up to and including 2.2.4, has been addressed in the recently released patch, version 2.2.5.

Detailed Overview:

This vulnerability was uncovered by the researcher Webbernaut, shedding light on the potential for authenticated attackers to inject malicious scripts via the plugin's custom fields. The XSS vulnerability not only compromises the security of websites using the affected versions but also puts their user data at risk. Prompt remediation in the form of a security patch in version 2.2.5 has been released to close this security gap, underscoring the necessity for immediate updates.

Advice for Users:

  • Immediate Action: Users of the Ocean Extra plugin should urgently update to the patched version 2.2.5 to protect their sites from potential XSS exploits.
  • Check for Signs of Vulnerability: Website administrators are advised to review their sites for any unusual or unauthorized content, particularly in areas where custom fields are utilized, as these may indicate the exploitation of this vulnerability.
  • Alternate Plugins: While the patched version is now secure, users may consider exploring alternative plugins that offer similar functionality to Ocean Extra, ensuring they also adhere to strict security standards.
  • Stay Updated: Maintaining the security of a WordPress site involves regularly updating all plugins, themes, and the core WordPress software to their latest versions, thereby safeguarding against known vulnerabilities.


The identification and subsequent patching of CVE-2024-1277 within the Ocean Extra plugin serve as a crucial reminder of the ongoing challenges in digital security. For WordPress site owners, particularly small business operators who might be pressed for time, the incident underscores the importance of proactive security measures. Leveraging tools for automatic updates, staying informed about potential vulnerabilities, and conducting regular site audits are indispensable practices in ensuring the integrity and security of online platforms.


In today's digital landscape, WordPress stands as a cornerstone for many websites, especially for small business owners who rely on its flexibility and ease of use. However, the convenience of WordPress plugins comes with its share of vulnerabilities, as highlighted by the recent discovery of a critical flaw in the "Ocean Extra" plugin, designated as CVE-2024-1277. This incident underscores the perpetual battle between functionality and security, emphasizing the imperative for vigilance and prompt action to maintain the sanctity of digital assets.

Plugin Overview:

"Ocean Extra" serves as an essential plugin for users of the OceanWP theme, enriching WordPress sites with additional features and customization options. With an impressive tally of over 20 million downloads and 700,000 active installations, its impact on the WordPress community is substantial.

Vulnerability Details:

CVE-2024-1277 exposes a stored cross-site scripting (XSS) vulnerability within versions up to 2.2.4 of the "Ocean Extra" plugin. Authenticated individuals with contributor-level access can exploit this flaw by injecting malicious scripts through the plugin's custom fields, thanks to inadequate input sanitization and output escaping. This vulnerability, uncovered by researcher Webbernaut, carries a CVSS score of 6.4, indicating a significant security risk.

Risks and Potential Impacts:

The exploitation of this vulnerability could lead to unauthorized access to user data, session hijackings, and the compromise of website integrity. For small business owners, the ramifications extend beyond mere technical glitches, potentially eroding customer trust and damaging the business's online reputation.

Remediation Strategies:

In response to CVE-2024-1277, the developers of "Ocean Extra" have released a patch in version 2.2.5 to rectify the vulnerability. Users are urged to update their plugin immediately to this latest version to mitigate the associated risks. Additionally, conducting regular site audits and monitoring for unusual or unauthorized content can help in identifying potential compromises.

Historical Context:

This is not the first vulnerability reported for the "Ocean Extra" plugin, with ten previous issues documented since July 3, 2019. This history of vulnerabilities accentuates the need for continuous security monitoring and updates.


The swift identification and patching of CVE-2024-1277 within the "Ocean Extra" plugin serve as a critical reminder of the ongoing importance of cybersecurity vigilance in the WordPress ecosystem. For small business owners, managing a website amidst numerous other responsibilities can be daunting. However, the security of your website is integral to your business's digital trust and reliability. Employing tools for automatic updates, staying abreast of the latest security threats, and leveraging professional cybersecurity services can significantly alleviate the burden, ensuring your WordPress site remains secure and your digital presence robust.

In navigating the complexities of online security, the key lies in proactive measures and informed decisions. Safeguarding your digital assets is not just about protecting data; it's about preserving the trust and confidence your customers place in your online presence.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Ocean Extra Vulnerability- Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1277 | WordPress Plugin Vulnerability Report FAQs

What is CVE-2024-1277?

CVE-2024-1277 refers to a specific security vulnerability found in the "Ocean Extra" WordPress plugin. It allows authenticated users with contributor-level permissions to inject malicious scripts through the plugin's custom fields, leading to stored cross-site scripting (XSS) attacks.

Leave a Comment