CVE-2023-7064 – This vulnerability in the Phlox theme's Shortco... (How to Fix)

Q: What is the severity of CVE-2023-7064?

CVE-2023-7064 has a CVSS score of 7.5 (HIGH). This vulnerability in the Phlox theme's Shortcodes plugin allows authenticated WordPress users with subscriber-level access to perform PHP object injection by exploiting insecure deserialization in the 'auxin_template_control_importer' function. Attackers can upload a malicious PHAR file disguised as an image, potentially leading to arbitrary file deletion, data theft, or remote code execution if other vulnerable plugins/themes provide the necessary POP chain. All WordPress sites using this plugin up to version 2.15.2 are affected.

📋 TL;DR

This vulnerability in the Phlox theme's Shortcodes plugin allows authenticated WordPress users with subscriber-level access to perform PHP object injection by exploiting insecure deserialization in the 'auxin_template_control_importer' function. Attackers can upload a malicious PHAR file disguised as an image, potentially leading to arbitrary file deletion, data theft, or remote code execution if other vulnerable plugins/themes provide the necessary POP chain. All WordPress sites using this plugin up to version 2.15.2 are affected.

💻 Affected Systems

Products:

Shortcodes and extra features for Phlox theme (Auxin Elements)

Versions: All versions up to and including 2.15.2

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin. Attack requires authenticated subscriber access and ability to upload files.

📦 What is this software?

Shortcodes And Extra Features For Phlox Theme by Averta

View all CVEs affecting Shortcodes And Extra Features For Phlox Theme →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete site compromise, data exfiltration, or server takeover if a suitable POP chain exists from other installed plugins/themes.

🟠

Likely Case

Arbitrary file deletion or sensitive data exposure through object injection, requiring attacker to have subscriber access and upload capability.

🟢

If Mitigated

Limited impact with proper access controls, file upload restrictions, and no compatible POP chains in the environment.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires subscriber-level authentication and file upload capability. No public exploit code available but vulnerability details are published.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.15.3 or later

Vendor Advisory: https://wordpress.org/plugins/auxin-elements/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Auxin Elements' plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 2.15.3+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Restrict File Uploads

all

Limit file upload capabilities for subscriber-level users

Use WordPress plugins like 'Members' or 'User Role Editor' to remove upload_files capability from subscriber role

Disable Vulnerable Function

all

Remove or disable the vulnerable auxin_template_control_importer function

Add to theme's functions.php: remove_action('wp_ajax_auxin_template_control_importer', 'auxin_template_control_importer');

🧯 If You Can't Patch

Temporarily deactivate the Auxin Elements plugin until patched
Implement strict file upload validation and monitoring for PHAR files

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Auxin Elements → Version. If version is 2.15.2 or lower, you are vulnerable.

Check Version:

wp plugin list --name=auxin-elements --field=version (if WP-CLI installed)

Verify Fix Applied:

Verify plugin version is 2.15.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads by subscriber users
POST requests to /wp-admin/admin-ajax.php with action=auxin_template_control_importer
PHAR file upload attempts

Network Indicators:

Increased admin-ajax.php requests from subscriber accounts
Unusual outbound connections after file uploads

SIEM Query:

source="wordpress.log" AND ("auxin_template_control_importer" OR "PHAR" OR "subscriber upload")

📊 Metadata

CVE ID: CVE-2023-7064

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

Published: May 2, 2024

Last Updated: May 22, 2025

🔗 References

https://wordpress.org/plugins/auxin-elements/ Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/f0882205-3037-4ada-9e44-ddd55d88fcb1?source=cve Third Party Advisory
https://wordpress.org/plugins/auxin-elements/ Product
https://www.wordfence.com/threat-intel/vulnerabilities/id/f0882205-3037-4ada-9e44-ddd55d88fcb1?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-7064, you might also want to check these: