CVE-2024-3517
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into pages using the Phlox theme's Accordion Widget. The scripts are stored and execute whenever other users view the compromised pages, enabling persistent cross-site scripting attacks. All WordPress sites using the vulnerable Phlox theme plugin versions are affected.
💻 Affected Systems
- Phlox theme Shortcodes and extra features plugin for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor access inject malicious scripts to steal user session cookies or credentials, potentially compromising user accounts.
If Mitigated
With proper user role management and input validation, impact is limited to defacement or minor data theft from lower-privileged users.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once attacker has contributor privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.15.6 or later
Vendor Advisory: https://wordpress.org/plugins/auxin-elements/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find 'Phlox Core Elements' plugin
4. Click 'Update Now' if available
5. Alternatively, download version 2.15.6+ from WordPress repository and manually update
🔧 Temporary Workarounds
Disable Accordion Widget
allTemporarily disable the vulnerable Accordion Widget in Elementor
Restrict User Roles
allTemporarily remove contributor access or limit to trusted users only
🧯 If You Can't Patch
- Implement strict user role management - only grant contributor access to trusted users
- Deploy web application firewall (WAF) rules to block XSS payloads targeting the accordion widget
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Phlox Core Elements. If version is 2.15.5 or lower, you are vulnerable.Check Version:
wp plugin list --name=auxin-elements --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.15.6 or higher in WordPress plugins list.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with accordion-related parameters
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- HTTP requests containing script tags in accordion widget parameters
- Outbound connections to suspicious domains after page views
SIEM Query:
source="wordpress.log" AND ("accordion" OR "auxin-elements") AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://plugins.trac.wordpress.org/browser/auxin-elements/tags/2.15.5/includes/elementor/widgets/accordion.php#L745
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a4541890-4c0d-4348-91df-42cf4b575514?source=cve
- https://plugins.trac.wordpress.org/browser/auxin-elements/tags/2.15.5/includes/elementor/widgets/accordion.php#L745
- https://www.wordfence.com/threat-intel/vulnerabilities/id/a4541890-4c0d-4348-91df-42cf4b575514?source=cve
