CVE-2021-25104: 
WordPress vulnerability analysis and mitigation

The Ocean Extra WordPress plugin before version 1.9.5 contains a Reflected Cross-Site Scripting (XSS) vulnerability identified as CVE-2021-25104. The vulnerability was discovered by ZhongFu Su(JrXnm) of Wuhan University and was publicly disclosed on May 24, 2022. The issue affects the plugin when used in conjunction with the OceanWP theme, where generated links are not properly escaped (WPScan).

The vulnerability is classified as a Reflected Cross-Site Scripting (XSS) issue with a CVSS v3 Base Score of 6.1 (Medium). The attack vector is network-based, requires low attack complexity, needs no privileges, but does require user interaction. The vulnerability has a Changed scope with Low impact on both Confidentiality and Integrity, while having No impact on Availability. A proof of concept exploit involves accessing the URL: https://example.com/wp-admin/?step=demo&page=owp_setup&a">alert(/XSS/) (WPScan, AttackerKB).

The vulnerability allows attackers to execute malicious JavaScript code in the context of other users' browsers when they visit specially crafted URLs. This can lead to potential theft of sensitive information, session hijacking, or other client-side attacks (WPScan).

The vulnerability has been fixed in Ocean Extra version 1.9.5. Users are advised to update to this version or later to mitigate the risk (WPScan).