CVE-2024-31380

WordPress Oxygen plugin <= 4.9 - Authenticated Remote Code Execution (RCE) vulnerability

CVSS 9.9 CRITICALEPSS 0.8%CWE-94

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.9EPSS 0.8%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

03 Apr 2024Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Oxygen Builder allows Code Injection. Vendor is ignoring report, refuses to patch the issue.This issue affects Oxygen Builder: from n/a through 4.9.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products

Soflyy · Oxygen Builder

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://patchstack.com/database/vulnerability/oxygen/wordpress-oxygen-plugin-4-8-1-auth-remote-code-execution-rce-vulnerability?_s_id=cve https://snicco.io/vulnerability-disclosure/oxygen/client-control-remote-code-execution-oxygen-4-8-1