CVE-2025-5524: 
WordPress vulnerability analysis and mitigation

The OceanWP WordPress theme contains a Stored Cross-Site Scripting vulnerability (CVE-2025-5524) in versions up to and including 4.0.9. The vulnerability was discovered on June 18, 2025, and affects the Select HTML tag functionality due to insufficient input sanitization and output escaping (NVD).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) issue. It has been assigned a CVSS v3.1 Base Score of 4.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N. The vulnerability exists in the Select HTML tag implementation, where insufficient input sanitization and output escaping allow for script injection (NVD, Wordfence).

When exploited, this vulnerability allows authenticated attackers with Contributor-level access or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page, potentially compromising the security of site visitors (NVD).

The vulnerability has been patched in OceanWP version 4.1.0, released on June 17, 2025. Users are advised to update to this version or later to protect against this security issue (WordPress Themes).