Skip to main content

Ocean Product Sharing CVE-2026-56007

| EUVDEUVD-2026-37870 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-18 Patchstack GHSA-5h7g-227p-mv5r
5.9
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
5.9 MEDIUM
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
4.8 MEDIUM

Requires WordPress admin credentials (PR:H, AV:N); stored payload fires in victim browsers (S:C, UI:R); availability impact omitted as stored XSS does not disrupt service.

3.1 AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 18, 2026 - 11:16 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OceanWP Ocean Product Sharing allows Stored XSS.

This issue affects Ocean Product Sharing: from n/a through 2.2.2.

AnalysisAI

Stored XSS in OceanWP's Ocean Product Sharing WordPress plugin (all versions through 2.2.2) allows administrator-level attackers to persist malicious JavaScript into plugin configuration or product sharing fields. When other authenticated users or site visitors load affected product pages, the injected scripts execute in their browsers, enabling session cookie theft, credential harvesting, or unauthorized UI manipulation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain WordPress admin credentials via phishing or credential stuffing
Delivery
Authenticate to WordPress admin panel
Exploit
Inject XSS payload into Ocean Product Sharing plugin configuration field
Install
Payload persisted to WordPress database
C2
Victim user loads a product page rendering the plugin's sharing widget
Execute
Stored script executes in victim's browser
Impact
Session token exfiltrated or further browser-based exploitation performed

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold WordPress administrator-level privileges (PR:H confirmed by CVSS vector), meaning the Ocean Product Sharing plugin settings interface must be accessible to the attacker - this is a non-default condition for external threat actors and limits exploitation to scenarios involving compromised admin accounts, insider threats, or prior privilege escalation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS base score of 5.9 (Medium) accurately reflects the constrained exploitability profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A threat actor who has compromised a WordPress administrator account (or is a malicious co-admin) navigates to the Ocean Product Sharing plugin settings page and injects a JavaScript payload such as a cookie-stealing script into a configuration field that lacks proper sanitization. When a site visitor or authenticated user subsequently loads a product page where the plugin's sharing widget is rendered, the stored payload executes silently in their browser, exfiltrating session tokens to an attacker-controlled endpoint. …
Remediation The primary remediation is to update the Ocean Product Sharing plugin to a version beyond 2.2.2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-56007 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy