CVE-2020-36760: 
WordPress vulnerability analysis and mitigation

The Ocean Extra plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 1.6.5. The vulnerability was discovered by Jerome Bruandet of NinTechNet and disclosed on September 16, 2020. The issue affects the add_core_extensions_bundle_validation() function due to missing or incorrect nonce validation (NVD).

The vulnerability exists due to improper implementation of WordPress security nonces in the add_core_extensions_bundle_validation() function. The security check only validates the nonce if it has been provided, making it possible to bypass the protection by simply omitting the nonce parameter. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N (Wordfence).

If exploited, this vulnerability could allow unauthenticated attackers to validate extension bundles via a forged request, provided they can trick a site administrator into performing an action such as clicking on a malicious link (NVD).

Users should update the Ocean Extra plugin to version 1.6.6 or later which includes the security fix. The vulnerability was patched by properly implementing nonce validation to prevent CSRF attacks (NinTechNet Blog).