CVE-2025-13307
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-19

Last updated on: 2025-12-19

Assigner: WPScan

Description
The Ocean Modal Window WordPress plugin before 2.3.3 is vulnerable to Remote Code Execution via the modal display logic. These modals can be displayed under user-controlled conditions that Editors and Administrators can set (edit_pages capability). The conditions are then executed as part of an eval statement executed on every site page. This leads to remote code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-19
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-19
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13307
EUVD
EUVD-2025-204450
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
oceanwp ocean_modal_window *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Ocean Modal Window WordPress plugin versions prior to 2.3.3 have a Remote Code Execution (RCE) vulnerability due to unsafe evaluation of modal display logic conditions. Editors and Administrators, who have the edit_pages capability, can set these modal display conditions, which are stored in meta fields like 'mw_display_on' and 'mw_hide_on'. These conditions are executed using PHP's eval() function on every site page, allowing malicious code injection and execution. An attacker with sufficient privileges can craft a payload that will run arbitrary code on the site. [1]

Impact Analysis

This vulnerability allows an attacker with Editor or Administrator privileges to execute arbitrary code on the affected WordPress site. This can lead to full site compromise, including unauthorized access, data theft, site defacement, or use of the site to launch further attacks. Because the malicious code runs on every page load, it can severely impact site availability and security. [1]

Detection Guidance

This vulnerability can be detected by checking if the Ocean Modal Window WordPress plugin version is prior to 2.3.3 and by inspecting the `mw_display_on` and `mw_hide_on` meta fields for malicious payloads that use PHP eval() execution. A practical detection method involves intercepting POST requests to `/wp-json/wp/v2/ocean_modal_window/[ID]` and examining the JSON body for suspicious code such as payloads like ["system('sleep 5')"]. You can also observe site page behavior for unusual delays (e.g., a 5-second delay) indicating code execution. Specific commands depend on your environment, but using tools like curl or Postman to fetch and inspect these meta fields or monitoring HTTP requests to the plugin's REST API endpoints can help detect exploitation attempts. [1]

Mitigation Strategies

The immediate mitigation step is to update the Ocean Modal Window WordPress plugin to version 2.3.3 or later, where this vulnerability is fixed. Additionally, restrict Editor and Administrator privileges carefully to trusted users, as the vulnerability requires edit_pages capability to exploit. Monitoring and auditing modal display conditions stored in the `mw_display_on` and `mw_hide_on` meta fields for suspicious code can also help mitigate risk until the update is applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13307. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart