Home

Description

The Ocean Modal Window WordPress plugin before 2.3.3 is vulnerable to Remote Code Execution via the modal display logic. These modals can be displayed under user-controlled conditions that Editors and Administrators can set (edit_pages capability). The conditions are then executed as part of an eval statement executed on every site page. This leads to remote code execution.

PUBLISHED Reserved 2025-11-17 | Published 2025-12-19 | Updated 2025-12-19 | Assigner WPScan

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unaffected

Any version before 2.3.3
affected

Credits

Alex Tselevich (nos3curity) finder

WPScan coordinator

References

wpscan.com/...rability/710de342-6fb9-47bd-a40b-7b74fc3c181b/ exploit vdb-entry technical-description

cve.org (CVE-2025-13307)

nvd.nist.gov (CVE-2025-13307)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.