CVE-2025-3457: 
WordPress vulnerability analysis and mitigation

The Ocean Extra plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'oceanwp_icon' shortcode in all versions up to, and including, 2.4.6 due to insufficient input sanitization and output escaping on user supplied attributes. This vulnerability was discovered and disclosed on April 21, 2025 (NVD).

The vulnerability exists due to insufficient input sanitization and output escaping on user-supplied attributes in the 'oceanwp_icon' shortcode functionality. The issue allows authenticated attackers with contributor-level access or above to inject arbitrary web scripts into pages. The vulnerability has been assigned a CVSS v3.1 score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

When exploited, this vulnerability allows authenticated attackers to inject malicious scripts that will execute whenever a user accesses an affected page. This could lead to theft of sensitive information, session hijacking, or other client-side attacks against site visitors (NVD).

The vulnerability has been patched in version 2.4.7 of the Ocean Extra plugin. Site administrators are strongly advised to update to this version or later. The update includes fixes for multiple potential vulnerabilities reported by Wordfence on April 11th, 2025 (WordPress Changelog).