Urgent Security Update Released for OxyExtras WordPress Plugin
A security vulnerability was discovered in the popular OxyExtras plugin for WordPress's Oxygen page builder, prompting the release of versions 1.4.4 and 1.4.5 to patch the issue, with users urged to update immediately and take precautionary measures to secure their sites.

Justin Gluska
Updated March 14, 2024

Reading Time: 2 minutes
A critical security vulnerability has been discovered in the popular OxyExtras plugin for WordPress's Oxygen page builder. The OxyExtras development team released versions 1.4.4 and 1.4.5 in quick succession yesterday to patch the security hole. They are urging all users to update to the latest version 1.4.5 immediately.
Details on the exact nature of the vulnerability are sparse at this time. When asked, the plugin author stated "Can't reveal at this time. Nothing to be concerned about. Make sure you are using the latest version of the plugin."
However, reports from users in the Oxygen Facebook community indicate the exploit may allow hackers to create rogue admin accounts on WordPress sites running vulnerable versions of OxyExtras. One site owner reported finding an unauthorized admin account with the email address "wp-configuser@config.com" and username referencing "James Rollner" added to his site. It's unclear if this is directly related to the OxyExtras vulnerability.
Out of an abundance of caution, we recommend all OxyExtras users take the following steps immediately:
- Update OxyExtras to version 1.4.5. You can update from your WordPress plugins page or download the latest version from the OxyExtras website.
- Review all user accounts on your WordPress site, especially any Administrator-level accounts. Delete any unauthorized or suspicious accounts.
- Change passwords for all legitimate admin accounts.
- Run a malware/security scan on your WordPress files to check for any injected malicious code.
- Monitor your site closely over the coming days for any unusual activity.
The OxyExtras team pushed out versions 1.4.4 and 1.4.5 very quickly to close the security hole. However, the previous version, 1.4.3, hadn't been updated since May 2022. It's possible this vulnerability existed for some time before being discovered and patched.
If you have any problems updating or concerns that your site may have been compromised, contact the OxyExtras support team for assistance. We will continue monitoring the situation and providing updates as more details emerge about the scope and impact of this security issue.
Want to Learn Even More?
If you enjoyed this article, subscribe to our free newsletter where we share tips & tricks on how to use tech & AI to grow and optimize your business, career, and life.