Skip to main content

Ocean Extra CVE-2026-34903

| EUVD-2026-19594 MEDIUM
Missing Authorization (CWE-862)
2026-04-07 Patchstack GHSA-mhqr-7m5g-wj8v
Authentication Bypass Ocean Extra
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 07, 2026 - 09:15 euvd
EUVD-2026-19594
Analysis Generated
Apr 07, 2026 - 09:15 vuln.today
CVE Published
Apr 07, 2026 - 08:57 nvd
MEDIUM 5.4

DescriptionCVE.org

Missing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ocean Extra: from n/a through 2.5.3.

AnalysisAI

Missing authorization in OceanWP Ocean Extra plugin versions through 2.5.3 allows authenticated users to bypass access control restrictions and perform unauthorized modifications or denial-of-service actions. An attacker with valid user credentials can exploit incorrectly configured access control checks to escalate privileges beyond their intended permission level. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS v3.1 score of 5.4 (Medium severity) reflects a network-accessible, low-complexity attack requiring authenticated access (PR:L) that can impact integrity and availability but not confidentiality (I:L, A:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with a valid WordPress user account (such as a subscriber or contributor account) logs into a WordPress site running OceanWP Ocean Extra through version 2.5.3 and directly accesses or modifies functions intended only for administrators by exploiting the missing authorization checks. For example, the attacker could modify site settings, delete content, or deface the website without requiring administrative credentials. …
Remediation Update OceanWP Ocean Extra to a patched version released after 2.5.3 via the WordPress plugin management interface or directly from the official Ocean Extra repository. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-34903 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy