CVE-2025-8944

Published: Sep 5, 2025Modified: Jan 20, 2026

4.3

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Exploitability: 2.8 / Impact: 1.4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The OceanWP WordPress theme before 4.1.2 is vulnerable to an option update due to a missing capability check on one of its AJAX request handler, allowing any authenticated users, such as subscriber to update the darkMod` setting.

Affected (1)

Products: Oceanwp: Oceanwp

Oceanwp

1 product

Oceanwp

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Oceanwp Oceanwp	Before 4.1.2

Related CWEs

CWE-862

Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

References (1)

https://wpscan.com/vulnerability/cf77b7f2-525b-4fe8-b612-185a1c18c197/

Source: contact@wpscan.com

ExploitThird Party Advisory

Timeline

No history available yet.