search

soflyy / oxygen-bugs-and-features

Bug Reports & Feature Requests for Oxygen
https://oxygenbuilder.com/
315 stars 31 forks source link

WordPress Oxygen Builder Plugin <= 4.8.2 is vulnerable to Remote Code Execution (RCE) #3537

Closed Nissulya closed 1 month ago

Nissulya commented 1 month ago

see https://patchstack.com/database/vulnerability/oxygen/wordpress-oxygen-plugin-4-8-1-auth-remote-code-execution-rce-vulnerability?_a_id=110

KittenCodes commented 1 month ago

Please see here for more information. There's no RCE vulnerability in Oxygen: https://oxygenbuilder.com/oxygen-4-8-2-now-available/.

arsh999cg commented 1 month ago

@KittenCodes you are right about the post you mentioned above, and I fully agree...

But patchstack and others have bigger profile than oxygen, and hostings which are partnered with patchstack, are disabling oxygen plugin entirely, and doesn't allow to build anything or break already built sites,

I suggest better to collaborate then for the good of the oxygen, as I and most of the people are still with oxygen, but currently I'm not going to use oxygen in any premium hosting service which is partnered with patchstack or wordfence or sucuri

I hope a good future of oxygen, and if oxygen team is not listening to this request then it will be dead for sure soon. I know this is harsh words but this is reality

Spellhammer commented 1 month ago

hostings which are partnered with patchstack, are disabling oxygen plugin entirely, and doesn't allow to build anything or break already built sites

Which hosts are disabling Oxygen due to this invalid CVE?

arsh999cg commented 1 month ago

@Spellhammer

haven't you seen posts in facebook post about that... aah sorry, you couldn't because posta are getting deleted about that and stopped commenting.

I'm as a user can see it, but as a support or developer how you couldn't see that. I'm being with oxygen and stayed with it till now, but you asked a question that is already public, seems a bad impression.

Never I'll go back to custom theme development or use another builder from now.

You can live your dream of over-trusting yourself, I'll do mine.

This is my last interaction with this issue.

arsh999cg commented 1 month ago

I've tagged @Spellhammer you in a faceboon post and it is deleted at the same time, how rude and untrusted reaction...

such a shame.

Spellhammer commented 1 month ago

Please email support@oxygenbuilder.com if you are on a host that is using unvetted, disputed CVEs to deactivate plugins. We want to know about it.

Nissulya commented 1 month ago

We are using Plesk to host wordpress installations at my university and we got the authomatic patchstack warning through the wordpess toolkit with the severity level 9.9. Normally we would deactivate plugins with this severity level at once, but the affected blogs wouldn't be functioning without oxygen. This is why I opened the issue here. After your explanation I reviewed the settings of these blogs and it's ok for me now. I don't know about other hosters policies on this matter.