Severity by source
AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Requires WordPress admin credentials (PR:H, AV:N); stored payload fires in victim browsers (S:C, UI:R); availability impact omitted as stored XSS does not disrupt service.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OceanWP Ocean Product Sharing allows Stored XSS.
This issue affects Ocean Product Sharing: from n/a through 2.2.2.
AnalysisAI
Stored XSS in OceanWP's Ocean Product Sharing WordPress plugin (all versions through 2.2.2) allows administrator-level attackers to persist malicious JavaScript into plugin configuration or product sharing fields. When other authenticated users or site visitors load affected product pages, the injected scripts execute in their browsers, enabling session cookie theft, credential harvesting, or unauthorized UI manipulation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold WordPress administrator-level privileges (PR:H confirmed by CVSS vector), meaning the Ocean Product Sharing plugin settings interface must be accessible to the attacker - this is a non-default condition for external threat actors and limits exploitation to scenarios involving compromised admin accounts, insider threats, or prior privilege escalation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS base score of 5.9 (Medium) accurately reflects the constrained exploitability profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A threat actor who has compromised a WordPress administrator account (or is a malicious co-admin) navigates to the Ocean Product Sharing plugin settings page and injects a JavaScript payload such as a cookie-stealing script into a configuration field that lacks proper sanitization. When a site visitor or authenticated user subsequently loads a product page where the plugin's sharing widget is rendered, the stored payload executes silently in their browser, exfiltrating session tokens to an attacker-controlled endpoint. … |
| Remediation | The primary remediation is to update the Ocean Product Sharing plugin to a version beyond 2.2.2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37870
GHSA-5h7g-227p-mv5r