Oxygen Builder Plugin Vulnerable to Remote Code Execution
CVE-2024-4662

8.8HIGH

Key Information:

Vendor: Wordpress
Status: Oxygen Builder
Vendor: CVE Published:; 23 May 2024

Summary

The Oxygen Builder plugin for WordPress is susceptible to exploitation due to a vulnerability that allows for Remote Code Execution. This issue affects all versions up to and including 4.8.2 and arises from the manner in which the plugin handles custom data storage in post metadata, specifically the absence of an underscore prefix. This flaw enables lower privileged users, such as contributors, to inject arbitrary PHP code through the WordPress user interface, thereby potentially elevating their privileges and compromising the site’s security.

Affected Version(s)

Oxygen Builder * <= 4.8.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://oxygenbuilder.com/oxygen-4-8-3-now-available-secu...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 23, 2024
Vulnerability Reserved
May 8, 2024

Credit

Francesco Carlucci