CVE-2024-1384
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level or higher permissions to inject malicious scripts via the 'aux_recent_portfolios_grid' shortcode. The scripts are stored and execute whenever users access pages containing the injected shortcode, affecting all WordPress sites using vulnerable versions of the Premium Portfolio Features for Phlox theme plugin.
💻 Affected Systems
- Premium Portfolio Features for Phlox theme plugin for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal admin credentials, redirect users to malicious sites, deface websites, or install backdoors leading to complete site compromise.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies, redirect visitors to phishing sites, or display unwanted content.
If Mitigated
With proper user role management and content review processes, the impact is limited to potential defacement of specific pages containing the shortcode.
🎯 Exploit Status
Exploitation requires authenticated access with contributor privileges or higher. The vulnerability is well-documented with public proof-of-concept available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/browser/auxin-portfolio/trunk/includes/elements/recent-portfolios.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Premium Portfolio Features for Phlox'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.3.4+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the 'aux_recent_portfolios_grid' shortcode functionality
Edit theme files to remove shortcode registration or add remove_shortcode('aux_recent_portfolios_grid'); to functions.php
Restrict user roles
allLimit contributor and author permissions to prevent exploitation
Use WordPress role management plugins to restrict shortcode usage capabilities
🧯 If You Can't Patch
- Remove the Premium Portfolio Features for Phlox plugin entirely and use alternative portfolio solutions
- Implement strict content review processes for all posts/pages created by contributors and authors
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Premium Portfolio Features for Phlox' version 2.3.3 or earlierCheck Version:
wp plugin list --name='Premium Portfolio Features for Phlox' --field=version (WP-CLI) or check plugin details in WordPress adminVerify Fix Applied:
Confirm plugin version is 2.3.4 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode modifications in post/page revisions
- Multiple failed login attempts followed by successful contributor-level login
- Posts/pages containing suspicious script tags in shortcode attributes
Network Indicators:
- Outbound connections to unknown domains from WordPress pages
- Unexpected script loads in page sources
SIEM Query:
source="wordpress" AND (event="post_modified" OR event="shortcode_used") AND data.shortcode="aux_recent_portfolios_grid" AND data.attributes CONTAINS "script"