CVE-2024-4662

Name of the Vulnerable Software and Affected Versions Oxygen Builder plugin for WordPress versions up to, and including, 4.8.2

Description The issue allows for Remote Code Execution via post metadata. This is due to the plugin storing custom data in post metadata without an underscore prefix, making it possible for lower privileged users to inject arbitrary PHP code via the WordPress user interface and gain elevated privileges.

Recommendations For Oxygen Builder plugin for WordPress versions up to, and including, 4.8.2, update to a version higher than 4.8.2 to resolve the issue. As a temporary workaround, consider restricting access to post metadata for lower privileged users, such as contributors, until a patch is available.