WordPress Oxygen Builder Plugin < 4.4 is vulnerable to Cross Site Request Forgery (CSRF)
No known patch is available for this vulnerability.
The affected theme has not been updated on WordPress.org since before this CVE was disclosed; the latest installable version is still vulnerable. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
A CSRF vulnerability in the abandoned Oxygen WordPress theme (≤ 0.6.0) allows attackers to forge requests on behalf of an admin, leading to unauthorized changes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A CSRF vulnerability in the abandoned Oxygen WordPress theme (≤ 0.6.0) allows attackers to forge requests on behalf of an admin, leading to unauthorized changes.
Vulnerability
Cross-Site Request Forgery (CSRF) vulnerability exists in the Oxygen WordPress theme (slug: oxygen) up to version 0.6.0, which remains the latest available release as of the CVE publication date [1]. The theme has been abandoned since 2016-07-03, meaning no security patches have been issued for this or any other vulnerability [1]. The flaw resides in the theme's handling of state-changing requests, which are not protected by nonce tokens or other CSRF countermeasures, allowing an attacker to trick an authenticated administrator into performing unintended actions.
Exploitation
An attacker must craft a malicious link or web page that performs a cross-origin request to the target WordPress site while an authenticated administrator is logged in. No special network position or additional authentication is required beyond the victim's active session. The attacker does not need direct write access to the site. Exploitation relies on social engineering to make the administrator click the crafted link or load the malicious page in a browser where they are already authenticated.
Impact
A successful CSRF attack allows the attacker to perform any action available to the targeted administrator on the WordPress site, such as modifying theme settings, adding or deleting users, changing content, or installing plugins. The integrity and availability of the site can be compromised, with potential for privilege escalation if the attacker creates a new administrator account. No confidentiality breach is directly achieved, but subsequent post-exploitation steps could lead to information disclosure.
Mitigation
The Oxygen theme (slug: oxygen) has been abandoned since July 2016, and no fixed version has been released since the vulnerability was disclosed [1]. As of the CVE publication date (2023-10-03), the only complete mitigation is to uninstall the theme and replace it with an actively-maintained alternative [1]. Users who must continue using the theme should implement a Web Application Firewall (WAF) rule to block known CSRF attack patterns, though this is a partial workaround and not guaranteed to cover all vectors. The theme is not listed on the CISA KEV as of the publication date.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=4.4+ 1 more
- (no CPE)range: <=4.4
- (no CPE)range: n/a
Patches
0oxygenThis theme appears unmaintained — its last release on WordPress.org predates this CVE's publication, so no fix has been shipped since the vulnerability was disclosed. The latest installable version is still vulnerable. Users should uninstall it or switch to an actively-maintained alternative.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.