On Wednesday, January 15th, a security vulnerability in Oxygen’s code was disclosed to us privately by Sam Thomas at Pentest Ltd (https://pentest.co.uk).
While investigating the disclosed vulnerability, we found an additional related vulnerability that was not initially reported to us.
To our knowledge, these vulnerabilities have not been exploited in the wild.
Oxygen 3.1.1 is a security patch specifically for these vulnerabilities and contains no other changes. We are not releasing a changelog or any more details until Oxygen users have had sufficient opportunity to update their sites.
It is critical that you update your Oxygen sites to version 3.1.1 immediately. Here’s how to do that:
- Go to Oxygen > Settings > License and make sure your license key is entered. Once your key is entered (and even if it was already present), click “Submit” and ensure you see the “valid” response next to the input box.
- Next, go to Dashboard > Updates in the WordPress admin panel and, if the Oxygen update isn’t already visible in the plugin update section, click “Check Again” until the update appears.
- Once the update is available, tick the box next to Oxygen in the plugin update section and click “Update Plugins”.
- Go to the Plugins page in the WordPress admin panel and verify that Oxygen’s version number is 3.1.1.
You’re all set! If the automatic update process doesn’t work as described above, you can manually update by doing the following:
- Go to https://oxygenbuilder.com/portal and click “Download Oxygen”.
- In the list of purchases, find your Oxygen purchase and click “View Details and Downloads”.
- Under the “Products” heading, find the download link for Oxygen 3.1.1 and download the zip file (if you use Safari, please switch to Chrome or Firefox to download the file to avoid the file being unzipped automatically).
- Log into your WordPress site and go to the Plugins page in the WordPress admin panel.
- Find Oxygen and click “Deactivate”, then “Delete”.
- At the top of the Plugins page, click “Add New”, and then “Upload Plugin”.
- Click “Choose File” and select the Oxygen 3.1.1 zip file you just downloaded.
- Once the plugin is finished installing, make sure to activate it.
If you have any trouble installing or obtaining Oxygen 3.1.1, please contact firstname.lastname@example.org and we will assist you with your update.