| Affected plugin | Oxygen Builder |
| Active installs | Not available – Commercial |
| Vulnerable version | <= 4.8.1 |
| Audited version | 4.8.1 |
| Fully patched version | Not patched |
| Recommended remediation | See: Misc |
| CVE | CVE-2024-31380 (Patchstack link) |
Description
The Oxygen page builder is vulnerable to remote code execution (RCE) in versions <= 4.8.1, which means that an attacker can run arbitrary code/system commands and take over the site/server.
To exploit this vulnerability, a user must have been granted “builder access” to Oxygen in the past. “Edit Only” access is sufficient.
Oxygen has a dedicated Client Control which is commonly used to give non-technical end-users highly restricted access to the page builder.
If one of these accounts is compromised (or used maliciously), it can be used to achieve RCE.
Proof of concept
Technical details will not be released for at least a week.
Proposed patch
Technical details will not be published for at least a week.
Timeline
| Vendor contacted | February 11, 2024 (Snicco contacts Patchstack) |
| First Response | February 16, 2024 (Patchstack validated the issue) |
| Fully patched at | Not patched |
| Publicly disclosed | April 03, 2024 |
Miscellaneous
The Oxygen team did not consider this a security vulnerability, but rather a documentation error, and did not issue a patch.
According to them, the “Client Control” never aimed to perform any sorts of permission check, but rather only simplify the visual editor for clients.
When we discovered the vulnerability this was not reflected in the documentation at all and “Client Control” was supposed to be safe for non-technical users (non-admins) with probably loose(r) security hygiene and hardening.
The documentation has now been updated and contains the following:
Note that while Code Blocks are visually restricted in Edit Only mode, a malicious user could still execute arbitrary PHP code if they have access to Oxygen, so DO NOT GRANT OXYGEN ACCESS TO UNTRUSTED USERS.
https://oxygenbuilder.com/documentation/other/client-control/
Regardless, Snicco & Patchstack strongly disagree with this assessment, as it is roughly analogous to WordPress Core saying something like:
“Contributors can now do everything an admin can. Instead of enforcing permissions, WordPress now just hides the sensitive admin menu links in the sidebar – “Be sure to make only trusted users a contributor”.
This mindset goes against anything that access control is supposed to do.
We hope the Oxygen team reconsiders their decision, especially given that the proposed patch is not too difficult to implement.
Leave a Reply