Important – if you encounter issues after updating, you should:
Oxygen 4.8.3 is a security update that addresses a vulnerability reported to us by security researcher Francesco Carlucci. It also includes a fix for broken Gutenberg blocks in the latest version of WordPress (6.5+) when using Oxygen.
The security issue we have addressed is a privilege escalation vulnerability that would allow a user with “contributor” or higher permissions to escalate their privileges to an admin (CVE-2024-4662). This issue impacts anyone that has granted untrusted users Contributor+ access to their WordPress website. It does not affect you if you do not have Contributor+ users on your WordPress website. This issue can only be exploited by a Contributor+ user.
At this time there are no known instances of this vulnerability being exploited in the wild.
If there are no non-admin users on your website with a role of Contributor or higher, you are not vulnerable.
If you granted non-admin users on your site a role of Contributor or higher, you are impacted. You should upgrade to 4.8.3.
After installing 4.8.3, your site will attempt to automatically perform a migration step. In most cases, this will be a seamless process and your site will experience no downtime.
Possible issues you may experience if the migration fails are: some or all of your site going blank on the front-end, or appearing blank when you open Oxygen to edit some content.
If your site experiences issues after the update, here’s what you need to do:
If you continue to experience issues after following these steps, the issue is unlikely to be related to 4.8.3. Please email support@oxygenbuilder.com and our team will be happy to help.
If, for some reason, you need to downgrade to a version prior to 4.8.3, you will need to reverse the meta migration.
This can be done under Oxygen > Settings > Tools by clicking the “Undo Migrate Meta” button.
Once the migration has been reversed, you can then install Oxygen 4.8.2 or earlier. Don’t forget to clear all caches.
We're also releasing version 1.4.5 of the Oxygen Gutenberg integration, which is required to support the new meta keys in Oxygen 4.8.3.
Please make sure you're using the appropriate version of the Gutenberg integration based on which version of Oxygen you're using: Oxygen 4.8.3 requires Oxygen Gutenberg 1.4.5 or later. Oxygen <= 4.8.2 requires Oxygen Gutenberg 1.4.4.
Once Francesco reported a similar issue to us for Breakdance, we invited them to investigate Oxygen as well. On May 7th, they alerted us to this vulnerability in Oxygen and we immediately began work to remediate the issue.
This reiterates the importance of regular, high quality security audits, a long-time standard practice here at Soflyy. Please note that any reports about this issue coming out through Patchstack are from other security researchers attempting to replicate the Breakdance RCE in Oxygen, and that the discovery should be credited to Francesco Carlucci who validated CVE-2024-4662 on May 8th via WordFence.