CVE-2024-3341
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts via the 'aux_gmaps' shortcode in the Phlox theme plugin. The scripts are stored and execute whenever other users view affected pages, enabling persistent cross-site scripting attacks. All WordPress sites using vulnerable versions of the Phlox theme plugin are affected.
💻 Affected Systems
- Phlox WordPress Theme (Auxin Elements plugin)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Malicious actors inject scripts to steal user session cookies, redirect visitors to phishing pages, or display unwanted content.
If Mitigated
With proper user role management and content review processes, impact is limited to potential content defacement from trusted users.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple once authenticated. Public proof-of-concept exists in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.15.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3078496%40auxin-elements&new=3078496%40auxin-elements
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Auxin Elements for Phlox Theme'. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.15.6+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the 'aux_gmaps' shortcode functionality
Add to theme's functions.php: remove_shortcode('aux_gmaps');
Restrict user roles
allTemporarily limit contributor-level posting capabilities
Use WordPress role management plugins to restrict shortcode usage
🧯 If You Can't Patch
- Implement strict content review process for all posts/pages from contributor-level users
- Deploy web application firewall (WAF) rules to detect and block XSS payloads in shortcode attributes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Auxin Elements version. If version is 2.15.5 or lower, system is vulnerable.Check Version:
wp plugin list --name=auxin-elements --field=version (if WP-CLI installed)Verify Fix Applied:
Confirm plugin version is 2.15.6 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode usage in post/page edits
- Multiple failed login attempts followed by successful contributor login
Network Indicators:
- Script tags in HTTP POST data to wp-admin/post.php
- Unusual outbound connections after page views
SIEM Query:
source="wordpress.log" AND ("aux_gmaps" OR "script" OR "onerror") AND (event="post_edit" OR event="page_update")🔗 References
- https://plugins.trac.wordpress.org/browser/auxin-elements/trunk/includes/elements/gmap.php#L266
- https://plugins.trac.wordpress.org/browser/auxin-elements/trunk/includes/elements/gmap.php#L301
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3705f028-9c8d-48b1-8950-160e10038294?source=cve
- https://plugins.trac.wordpress.org/browser/auxin-elements/trunk/includes/elements/gmap.php#L266
- https://plugins.trac.wordpress.org/browser/auxin-elements/trunk/includes/elements/gmap.php#L301
- https://www.wordfence.com/threat-intel/vulnerabilities/id/3705f028-9c8d-48b1-8950-160e10038294?source=cve
