The Oxygen Builder plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.8.2 via post metadata. This is due to the plugin storing custom data in post metadata without an underscore prefix. This makes it possible for lower privileged users, such as contributors, to inject arbitrary PHP code via the WordPress user interface and gain elevated privileges.
Metrics
Affected Vendors & Products
References
History
No history.

Status: PUBLISHED
Assigner: Wordfence
Published: 2024-05-23T04:30:54.393Z
Updated: 2024-08-01T20:47:41.332Z
Reserved: 2024-05-08T17:11:22.708Z
Link: CVE-2024-4662

Updated: 2024-08-01T20:47:41.332Z

Status : Awaiting Analysis
Published: 2024-05-23T05:15:49.140
Modified: 2024-11-21T09:43:19.670
Link: CVE-2024-4662

No data.