Client Control Remote Code Execution – Oxygen <= 4.8.1 – CVE-2024-31380

| in

Affected pluginOxygen Builder
Active installsNot available – Commercial
Vulnerable version<= 4.8.1
Audited version4.8.1
Fully patched versionNot patched
Recommended remediationSee: Misc
CVECVE-2024-31380 (Patchstack link)


The Oxygen page builder is vulnerable to remote code execution (RCE) in versions <= 4.8.1, which means that an attacker can run arbitrary code/system commands and take over the site/server.

To exploit this vulnerability, a user must have been granted “builder access” to Oxygen in the past. “Edit Only” access is sufficient.

Oxygen has a dedicated Client Control which is commonly used to give non-technical end-users highly restricted access to the page builder.

If one of these accounts is compromised (or used maliciously), it can be used to achieve RCE.

Proof of concept

Technical details will not be released for at least a week.

Proposed patch

Technical details will not be published for at least a week.


Vendor contactedFebruary 11, 2024 (Snicco contacts Patchstack)
First ResponseFebruary 16, 2024 (Patchstack validated the issue)
Fully patched atNot patched
Publicly disclosedApril 03, 2024


The Oxygen team did not consider this a security vulnerability, but rather a documentation error, and did not issue a patch.

According to them, the “Client Control” never aimed to perform any sorts of permission check, but rather only simplify the visual editor for clients.

When we discovered the vulnerability this was not reflected in the documentation at all and “Client Control” was supposed to be safe for non-technical users (non-admins) with probably loose(r) security hygiene and hardening.

The documentation has now been updated and contains the following:

Note that while Code Blocks are visually restricted in Edit Only mode, a malicious user could still execute arbitrary PHP code if they have access to Oxygen, so DO NOT GRANT OXYGEN ACCESS TO UNTRUSTED USERS.

Regardless, Snicco & Patchstack strongly disagree with this assessment, as it is roughly analogous to WordPress Core saying something like:

“Contributors can now do everything an admin can. Instead of enforcing permissions, WordPress now just hides the sensitive admin menu links in the sidebar – “Be sure to make only trusted users a contributor”.

This mindset goes against anything that access control is supposed to do.

We hope the Oxygen team reconsiders their decision, especially given that the proposed patch is not too difficult to implement.

Leave a Reply

Your email address will not be published. Required fields are marked *