Plateforme
wordpress
Composant
ocean-modal-window
Corrigé dans
2.3.3
2.3.3
CVE-2025-13307 is a Remote Code Execution (RCE) vulnerability affecting the Ocean Modal Window plugin for WordPress. This vulnerability allows authenticated attackers, specifically those with Editor-level access or higher, to execute arbitrary code on the server. The vulnerability impacts versions up to and including 2.3.2. A patch has been released in version 2.3.3.
Successful exploitation of CVE-2025-13307 grants an attacker complete control over the affected WordPress server. An authenticated attacker with Editor privileges can upload and execute malicious code, leading to data breaches, website defacement, malware installation, and potential compromise of the entire network. The impact is significant, as it bypasses standard WordPress security measures and allows for persistent, high-impact attacks. This vulnerability shares similarities with other WordPress plugin vulnerabilities where insufficient input validation allows for code injection.
CVE-2025-13307 was publicly disclosed on 2025-11-28. While no active exploitation campaigns have been confirmed, the ease of exploitation and the plugin's popularity suggest a potential for widespread attacks. Public proof-of-concept (POC) code is likely to emerge, increasing the risk. This CVE is not currently listed on CISA KEV.
WordPress websites utilizing the Ocean Modal Window plugin, particularly those with multiple users possessing Editor-level access, are at significant risk. Shared hosting environments where multiple websites share the same server infrastructure are also vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
wp plugin list | grep ocean-modal-window• wordpress / composer / npm:
wp plugin update ocean-modal-window --version=2.3.3• wordpress / composer / npm:
grep -r "ocean_modal_window_plugin_dir" /var/www/html/wp-content/plugins/ocean-modal-window/• generic web: Check WordPress plugin directory for mentions of the vulnerability and associated IOCs.
disclosure
Statut de l'Exploit
EPSS
0.35% (percentile 57%)
Vecteur CVSS
The primary mitigation for CVE-2025-13307 is to immediately upgrade the Ocean Modal Window plugin to version 2.3.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider restricting access to the WordPress admin panel to only trusted users. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious code execution attempts can provide an additional layer of defense. Regularly scan your WordPress installation for vulnerabilities using a reputable security plugin.
Mettre à jour vers la version 2.3.3, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-13307 is a Remote Code Execution vulnerability in the Ocean Modal Window WordPress plugin, allowing authenticated attackers to execute code on the server.
You are affected if you are using Ocean Modal Window version 2.3.2 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Ocean Modal Window plugin to version 2.3.3 or later to patch the vulnerability.
While no active exploitation campaigns have been confirmed, the vulnerability's ease of exploitation suggests a potential for attacks.
Refer to the plugin developer's website or WordPress plugin repository for the official advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.