CVE-2026-34903
WordPress Ocean Extra plugin <= 2.5.3 - Broken Access Control vulnerabilityMissing Authorization vulnerability in OceanWP Ocean Extra allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ocean Extra: from n/a through 2.5.3.
We have discovered 1,121 live websites that are affected by CVE-2026-34903.
Affected Software
| Product |  Ocean Extra |
| Category | Wordpress Plugins |
| Vulnerable Domains | 1,121 live websites (77% of Ocean Extra install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 30 versions ( 94% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Apr 7, 2026
- Updated - Apr 7, 2026
Credits
- Nguyen Ba Khanh | Patchstack Bug Bounty Program (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2026-34903 United States | 181 websites |
 Germany | 234 websites |
 France | 117 websites |
 Italy | 54 websites |
 South Africa | 32 websites |
 Spain | 32 websites |
 Poland | 31 websites |
 India | 30 websites |
 GB | 29 websites |
 Switzerland | 24 websites |
Website Distribution by TLD
Number of websites using CVE-2026-34903| .com | 345 websites |
| .de | 167 websites |
| .org | 49 websites |
| .fr | 46 websites |
| .it | 37 websites |
| .net | 26 websites |
| .pl | 22 websites |
| .ch | 22 websites |
| .nl | 22 websites |
| .com.br | 22 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2026-34903
Top websites that are affected by CVE-2026-34903. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ********.org | GB | ***,*** | |
| *******************.org | United States | *,***,*** | |
| *************.com | United States | *,***,*** | |
| *****.***********.dz |  Algeria | *,***,*** | |
| *******************.com | United States | *,***,*** | |
| ***********.com | France | *,***,*** | |
| ***********.com | United States | *,***,*** | |
| *******************.com | United States | *,***,*** | |
| **************.**.uk | GB | *,***,*** | |
| ************.net |  Bulgaria | *,***,*** |
FAQ
CVE-2026-34903 is Missing Authorization in Ocean Extra
A total of 1,121 websites have been identified as vulnerable to CVE-2026-34903, based on global website indexing conducted by WebTechSurvey.
The Ocean Extra is affected by the CVE-2026-34903 vulnerability.
Ocean Extra versions up to and including 2.5.3 are vulnerable to CVE-2026-34903.