Ocean Extra Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-3167 | WordPress Plugin Vulnerability Report

Plugin Name: Ocean Extra

Key Information:

  • Software Type: Plugin
  • Software Slug: ocean-extra
  • Software Status: Active
  • Software Author: oceanwp
  • Software Downloads: 20,664,296
  • Active Installs: 700,000
  • Last Updated: April 16, 2024
  • Patched Versions: 2.2.7
  • Affected Versions: <= 2.2.6

Vulnerability Details:

  • Name: Ocean Extra <= 2.2.6
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-3167
  • CVSS Score: 6.4
  • Publicly Published: April 8, 2024
  • Researcher: Wesley
  • Description: The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘twitter_username’ parameter in versions up to, and including, 2.2.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.


The Ocean Extra plugin for WordPress has a vulnerability in versions up to and including 2.2.6 that allows authenticated contributors to execute stored cross-site scripting attacks via the ‘twitter_username’ parameter. This vulnerability has been patched in version 2.2.7.

Detailed Overview:

The vulnerability in the Ocean Extra plugin was identified by researcher Wesley. It specifically targets the 'twitter_username' parameter within the plugin settings. Due to inadequate input sanitization and escaping, it is possible for attackers, who have at least contributor-level access, to inject malicious scripts into this field. These scripts can then be executed on the client-side whenever another user views a compromised page. This represents a significant security risk potentially leading to unauthorized data access or manipulation.

Advice for Users:

  • Immediate Action: Users should update to version 2.2.7 immediately to mitigate the risk.
  • Check for Signs of Vulnerability: Administrators should review their pages for any unusual script insertions, particularly in the 'twitter_username' parameter.
  • Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  • Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.


The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 2.2.7 or later to secure their WordPress installations.


Detailed Report: 

In our digital world, your website acts as both the face and the gateway to your business, making its security paramount. However, like any defense, digital protections can falter if not regularly updated and maintained. A glaring example of such a lapse is the recently discovered vulnerability in the Ocean Extra WordPress plugin, which has put over 700,000 websites at potential risk. This vulnerability underscores the crucial need for continuous vigilance in website security management, especially for business owners juggling countless responsibilities.

Risks and Potential Impacts:

The vulnerability in Ocean Extra exposes websites to several risks, including data theft, unauthorized content changes, and loss of user trust. Attackers could exploit this vulnerability to manipulate web pages or perform actions on behalf of users, potentially leading to severe reputational and financial damage for a business.

Overview of Previous Vulnerabilities:

Since July 3, 2019, Ocean Extra has encountered 11 documented vulnerabilities, ranging from minor to critical. This history indicates a pattern that necessitates regular reviews and updates as part of a comprehensive security strategy.


The swift patching of the latest vulnerability in Ocean Extra by its developers is a reminder of the critical nature of software updates. For small business owners, who often must prioritize their time ruthlessly, it's vital to implement practices that ensure your website's security measures are automatic and robust. Leveraging tools like automated update features, subscribing to security blogs, or working with managed hosting services can significantly reduce the burden of staying ahead of vulnerabilities.

Final Thoughts:

As a small business owner, it's easy to feel overwhelmed by the technical demands of maintaining a secure online presence. However, the security of your website should never be compromised. Engaging with professionals for regular security audits, adopting robust security plugins, and maintaining awareness of your digital assets' health are pivotal steps in safeguarding your business in the digital landscape.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Ocean Extra Vulnerability – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-3167 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment