CVE-2025-13307
BaseFortify
Publication date: 2025-12-19
Last updated on: 2025-12-19
Assigner: WPScan
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| oceanwp | ocean_modal_window | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Ocean Modal Window WordPress plugin versions prior to 2.3.3 have a Remote Code Execution (RCE) vulnerability due to unsafe evaluation of modal display logic conditions. Editors and Administrators, who have the edit_pages capability, can set these modal display conditions, which are stored in meta fields like 'mw_display_on' and 'mw_hide_on'. These conditions are executed using PHP's eval() function on every site page, allowing malicious code injection and execution. An attacker with sufficient privileges can craft a payload that will run arbitrary code on the site. [1]
How can this vulnerability impact me? :
This vulnerability allows an attacker with Editor or Administrator privileges to execute arbitrary code on the affected WordPress site. This can lead to full site compromise, including unauthorized access, data theft, site defacement, or use of the site to launch further attacks. Because the malicious code runs on every page load, it can severely impact site availability and security. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Ocean Modal Window WordPress plugin version is prior to 2.3.3 and by inspecting the `mw_display_on` and `mw_hide_on` meta fields for malicious payloads that use PHP eval() execution. A practical detection method involves intercepting POST requests to `/wp-json/wp/v2/ocean_modal_window/[ID]` and examining the JSON body for suspicious code such as payloads like ["system('sleep 5')"]. You can also observe site page behavior for unusual delays (e.g., a 5-second delay) indicating code execution. Specific commands depend on your environment, but using tools like curl or Postman to fetch and inspect these meta fields or monitoring HTTP requests to the plugin's REST API endpoints can help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the Ocean Modal Window WordPress plugin to version 2.3.3 or later, where this vulnerability is fixed. Additionally, restrict Editor and Administrator privileges carefully to trusted users, as the vulnerability requires edit_pages capability to exploit. Monitoring and auditing modal display conditions stored in the `mw_display_on` and `mw_hide_on` meta fields for suspicious code can also help mitigate risk until the update is applied. [1]