Description
Server-Side Request Forgery (SSRF) vulnerability in Laborator Oxygen oxygen allows Server Side Request Forgery.This issue affects Oxygen: from n/a through <= 6.0.8.
Published: 2026-02-20
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server Side Request for Potential Data Exposure
Action: Apply Patch
AI Analysis

Impact

An SSRF vulnerability exists in the Oxygen theme for WordPress versions up to 6.0.8 that allows an attacker to instruct the server to make arbitrary HTTP requests to external or internal resources. The flaw is rooted in list 918 and could enable an attacker to exfiltrate sensitive data, interact with internal services, or serve as a stepping stone for further exploitation.

Affected Systems

The vulnerable product is Laborator's Oxygen theme for WordPress, affecting all releases from the earliest available version through version 6.0.8.

Risk and Exploitability

The CVSS score of 7.2 signifies a high severity while the EPSS score of less than 1% indicates a currently low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation would require a remote actor to supply a crafted URL to a feature in the theme that performs outbound requests, presenting a clear remote attack vector.

Generated by OpenCVE AI on April 27, 2026 at 20:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Oxygen WordPress theme to the latest released version, which removes the SSRF flaw.
  • If an immediate upgrade is not possible, configure the web server firewall to block outbound requests to internal IP ranges and enforce a whitelist of allowed external destinations.
  • Enable logging and monitoring of outbound HTTP requests from the WordPress installation to detect and alert on anomalous activity.

Generated by OpenCVE AI on April 27, 2026 at 20:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Laborator
Laborator oxygen
Wordpress
Wordpress wordpress
Vendors & Products Laborator
Laborator oxygen
Wordpress
Wordpress wordpress

Fri, 20 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Laborator Oxygen oxygen allows Server Side Request Forgery.This issue affects Oxygen: from n/a through <= 6.0.8.
Title WordPress Oxygen theme <= 6.0.8 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References

Subscriptions

Laborator Oxygen
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:46:23.309Z

Reserved: 2025-12-31T20:11:57.533Z

Link: CVE-2025-69299

cve-icon Vulnrichment

Updated: 2026-02-24T19:57:18.864Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T16:22:17.330

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-69299

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T20:45:12Z

Weaknesses