CVE-2024-4662 Information
May 25, 2024
cve
Description
The Oxygen Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to and including 4.8.2 via post metadata. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for lower privileged users such as contributors to inject arbitrary PHP code via the WordPress user interface and gain elevated privileges.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Reference
https://www.wordfence.com/threat-intel/vulnerabilities/id/8706c3f6-64e0-440e-a802-5c80d9cc3643?source=cve https://oxygenbuilder.com/oxygen-4-8-3-now-available-security-update/
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
HIGH
Base Score
HIGH
Base Severity
8.8
Share on: