Oxygen 1.0.2 is a mandatory security update. Versions below 1.0.2 contain several security vulnerabilities that could allow a site to be compromised.
How to Upgrade
Make sure your License key is entered under the Oxygen -> License menu in your WP admin panel, and then force WordPress to check for updates.
You can also visit https://oxygenapp.com/checkout/purchase-history to manually download the updated Oxygen version and access your License Key.
Keeping your License current and setup on the Oxygen -> License screen will allow you to receive update notifications directly in the WP admin panel.
Overview
During the initial development cycle we decided to have the Oxygen code audited by an outside source in order to bring additional eyes on the code. Due to the flexible nature of the Oxygen framework there were several possible attack vectors that needed to be thoroughly examined and tested.
Numerous vulnerabilities were discovered during a routine security audit. The most serious would allow any logged in user to execute arbitrary PHP code, resulting in a complete site compromise. The majority of the issues were minor and could allow a higher level user account (Editor or Author) to escalate their site privileges.
Who is affected?
Anyone running a version of Oxygen older than 1.0.2 could be affected by these vulnerabilities. We suggest you upgrade immediately, even though there have been no known instances of the vulnerabilities being exploited in the wild.
What type of access is required?
The most severe of the vulnerabilities requires an attacker to have a user account on the WordPress site; a simple Subscriber account is sufficient.
When was the audit?
The security audit was started in August 2016 which lead to the release of Oxygen version 1.0.2 on September 13th 2016.
Since the Oxygen theme is currently a proprietary product with limited distribution we will not be releasing complete details of the vulnerabilities.
Other Changes in 1.0.2
- Fixed: incompatibility with PHP 7 caused by split() function