CVE-2024-31380 (GCVE-0-2024-31380)

Vulnerability from cvelistv5 – Published: 2024-04-03 11:41 – Updated: 2024-08-26 08:09
VLAI?
Title
WordPress Oxygen plugin <= 4.9 - Authenticated Remote Code Execution (RCE) vulnerability
Summary
Improper Control of Generation of Code ('Code Injection') vulnerability in Soflyy Oxygen Builder allows Code Injection. Vendor is ignoring report, refuses to patch the issue.This issue affects Oxygen Builder: from n/a through 4.9.
Severity ?
9.9 (Critical)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CWE
  • CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
Vendor Product Version
Soflyy Oxygen Builder Affected: n/a , ≤ 4.9 (custom)
Create a notification for this product.
Credits
Snicco (Patchstack Alliance)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:soflyy:oxygen:*:*:*:*:*:wordpress:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "oxygen",
            "vendor": "soflyy",
            "versions": [
              {
                "lessThanOrEqual": "4.8.2",
                "status": "affected",
                "version": "0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-31380",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-23T15:09:32.611305Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T17:36:04.246Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T01:52:56.590Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://patchstack.com/database/vulnerability/oxygen/wordpress-oxygen-plugin-4-8-1-auth-remote-code-execution-rce-vulnerability?_s_id=cve"
          },
          {
            "tags": [
              "third-party-advisory",
              "technical-description",
              "x_transferred"
            ],
            "url": "https://snicco.io/vulnerability-disclosure/oxygen/client-control-remote-code-execution-oxygen-4-8-1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Oxygen Builder",
          "vendor": "Soflyy",
          "versions": [
            {
              "lessThanOrEqual": "4.9",
              "status": "affected",
              "version": "n/a",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "user": "00000000-0000-4000-9000-000000000000",
          "value": "Snicco (Patchstack Alliance)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Soflyy Oxygen Builder allows Code Injection. Vendor is ignoring report, refuses to patch the issue.\u003cp\u003eThis issue affects Oxygen Builder: from n/a through 4.9.\u003c/p\u003e"
            }
          ],
          "value": "Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Soflyy Oxygen Builder allows Code Injection. Vendor is ignoring report, refuses to patch the issue.This issue affects Oxygen Builder: from n/a through 4.9."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-242",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-242 Code Injection"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.9,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-08-26T08:09:38.091Z",
        "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "shortName": "Patchstack"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://patchstack.com/database/vulnerability/oxygen/wordpress-oxygen-plugin-4-8-1-auth-remote-code-execution-rce-vulnerability?_s_id=cve"
        },
        {
          "tags": [
            "third-party-advisory",
            "technical-description"
          ],
          "url": "https://snicco.io/vulnerability-disclosure/oxygen/client-control-remote-code-execution-oxygen-4-8-1"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "WordPress Oxygen plugin \u003c= 4.9 - Authenticated Remote Code Execution (RCE) vulnerability",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
    "assignerShortName": "Patchstack",
    "cveId": "CVE-2024-31380",
    "datePublished": "2024-04-03T11:41:27.576Z",
    "dateReserved": "2024-04-01T06:51:34.353Z",
    "dateUpdated": "2024-08-26T08:09:38.091Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Soflyy Oxygen Builder allows Code Injection. Vendor is ignoring report, refuses to patch the issue.This issue affects Oxygen Builder: from n/a through 4.9.\"}, {\"lang\": \"es\", \"value\": \"La vulnerabilidad de control inadecuado de la generaci\\u00f3n de c\\u00f3digo (\\\"inyecci\\u00f3n de c\\u00f3digo\\\") en Soflyy Oxygen Builder permite la inyecci\\u00f3n de c\\u00f3digo. Este problema afecta a Oxygen Builder: desde n/a hasta 4.8.2.\"}]",
      "id": "CVE-2024-31380",
      "lastModified": "2024-11-21T09:13:24.617",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"audit@patchstack.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"baseScore\": 9.9, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 6.0}]}",
      "published": "2024-04-03T12:15:13.530",
      "references": "[{\"url\": \"https://patchstack.com/database/vulnerability/oxygen/wordpress-oxygen-plugin-4-8-1-auth-remote-code-execution-rce-vulnerability?_s_id=cve\", \"source\": \"audit@patchstack.com\"}, {\"url\": \"https://snicco.io/vulnerability-disclosure/oxygen/client-control-remote-code-execution-oxygen-4-8-1\", \"source\": \"audit@patchstack.com\"}, {\"url\": \"https://patchstack.com/database/vulnerability/oxygen/wordpress-oxygen-plugin-4-8-1-auth-remote-code-execution-rce-vulnerability?_s_id=cve\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://snicco.io/vulnerability-disclosure/oxygen/client-control-remote-code-execution-oxygen-4-8-1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "audit@patchstack.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"audit@patchstack.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-94\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-31380\",\"sourceIdentifier\":\"audit@patchstack.com\",\"published\":\"2024-04-03T12:15:13.530\",\"lastModified\":\"2024-11-21T09:13:24.617\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Soflyy Oxygen Builder allows Code Injection. Vendor is ignoring report, refuses to patch the issue.This issue affects Oxygen Builder: from n/a through 4.9.\"},{\"lang\":\"es\",\"value\":\"La vulnerabilidad de control inadecuado de la generaci\u00f3n de c\u00f3digo (\\\"inyecci\u00f3n de c\u00f3digo\\\") en Soflyy Oxygen Builder permite la inyecci\u00f3n de c\u00f3digo. Este problema afecta a Oxygen Builder: desde n/a hasta 4.8.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"audit@patchstack.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"audit@patchstack.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://patchstack.com/database/vulnerability/oxygen/wordpress-oxygen-plugin-4-8-1-auth-remote-code-execution-rce-vulnerability?_s_id=cve\",\"source\":\"audit@patchstack.com\"},{\"url\":\"https://snicco.io/vulnerability-disclosure/oxygen/client-control-remote-code-execution-oxygen-4-8-1\",\"source\":\"audit@patchstack.com\"},{\"url\":\"https://patchstack.com/database/vulnerability/oxygen/wordpress-oxygen-plugin-4-8-1-auth-remote-code-execution-rce-vulnerability?_s_id=cve\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://snicco.io/vulnerability-disclosure/oxygen/client-control-remote-code-execution-oxygen-4-8-1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://patchstack.com/database/vulnerability/oxygen/wordpress-oxygen-plugin-4-8-1-auth-remote-code-execution-rce-vulnerability?_s_id=cve\", \"tags\": [\"vdb-entry\", \"x_transferred\"]}, {\"url\": \"https://snicco.io/vulnerability-disclosure/oxygen/client-control-remote-code-execution-oxygen-4-8-1\", \"tags\": [\"third-party-advisory\", \"technical-description\", \"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T01:52:56.590Z\"}}, {\"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-31380\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-05-23T15:09:32.611305Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:soflyy:oxygen:*:*:*:*:*:wordpress:*:*\"], \"vendor\": \"soflyy\", \"product\": \"oxygen\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.8.2\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-05-23T15:11:33.404Z\"}, \"title\": \"CISA ADP Vulnrichment\"}], \"cna\": {\"title\": \"WordPress Oxygen plugin \u003c= 4.9 - Authenticated Remote Code Execution (RCE) vulnerability\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"user\": \"00000000-0000-4000-9000-000000000000\", \"value\": \"Snicco (Patchstack Alliance)\"}], \"impacts\": [{\"capecId\": \"CAPEC-242\", \"descriptions\": [{\"lang\": \"en\", \"value\": \"CAPEC-242 Code Injection\"}]}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 9.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Soflyy\", \"product\": \"Oxygen Builder\", \"versions\": [{\"status\": \"affected\", \"version\": \"n/a\", \"versionType\": \"custom\", \"lessThanOrEqual\": \"4.9\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://patchstack.com/database/vulnerability/oxygen/wordpress-oxygen-plugin-4-8-1-auth-remote-code-execution-rce-vulnerability?_s_id=cve\", \"tags\": [\"vdb-entry\"]}, {\"url\": \"https://snicco.io/vulnerability-disclosure/oxygen/client-control-remote-code-execution-oxygen-4-8-1\", \"tags\": [\"third-party-advisory\", \"technical-description\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.1.0-dev\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Soflyy Oxygen Builder allows Code Injection. Vendor is ignoring report, refuses to patch the issue.This issue affects Oxygen Builder: from n/a through 4.9.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Improper Control of Generation of Code (\u0027Code Injection\u0027) vulnerability in Soflyy Oxygen Builder allows Code Injection. Vendor is ignoring report, refuses to patch the issue.\u003cp\u003eThis issue affects Oxygen Builder: from n/a through 4.9.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"21595511-bba5-4825-b968-b78d1f9984a3\", \"shortName\": \"Patchstack\", \"dateUpdated\": \"2024-08-26T08:09:38.091Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-31380\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-08-26T08:09:38.091Z\", \"dateReserved\": \"2024-04-01T06:51:34.353Z\", \"assignerOrgId\": \"21595511-bba5-4825-b968-b78d1f9984a3\", \"datePublished\": \"2024-04-03T11:41:27.576Z\", \"assignerShortName\": \"Patchstack\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.