Oxygen 4.8.3 is a security update that addresses a vulnerability reported to us by security researcher Francesco Carlucci. It also includes a fix for broken Gutenberg blocks in the latest version of WordPress (6.5+) when using Oxygen.
The security issue we have addressed is a privilege escalation vulnerability that would allow a user with “contributor” or higher permissions to escalate their privileges to an admin (CVE-2024-4662). This issue impacts anyone that has granted untrusted users Contributor+ access to their WordPress website. It does not affect you if you do not have Contributor+ users on your WordPress website. This issue can only be exploited by a Contributor+ user.
Important – if you encounter issues after updating, you should:
- For large sites, wait ~5 minutes for the "Oxygen 4.8.3+ requires a migration of your Oxygen meta keys" admin notice to go away. If it doesn't go away on its own, proceed to:
- Go to WP Admin > Oxygen > Settings > Tools and click Migrate Meta
- Clear your cache with your server / host / cache plugin
The security issue we have addressed is a privilege escalation vulnerability that would allow a user with “contributor” or higher permissions to escalate their privileges to an admin (CVE-2024-4662). This issue impacts anyone that has granted untrusted users Contributor+ access to their WordPress website. It does not affect you if you do not have Contributor+ users on your WordPress website. This issue can only be exploited by a Contributor+ user.
Important – if you encounter issues after updating, you should:
- For large sites, wait ~5 minutes for the "Oxygen 4.8.3+ requires a migration of your Oxygen meta keys" admin notice to go away. If it doesn't go away on its own, proceed to:
- Go to WP Admin > Oxygen > Settings > Tools and click Migrate Meta
- Clear your cache with your server / host / cache plugin