CVE-2024-8486
📋 TL;DR
This vulnerability allows authenticated WordPress users with Contributor-level access or higher to inject malicious JavaScript into website pages via the Modern Heading and Icon Picker widgets. The injected scripts execute whenever users view the compromised pages, enabling session hijacking, defacement, or malware distribution. All WordPress sites using the Phlox theme's Shortcodes and extra features plugin up to version 2.16.3 are affected.
💻 Affected Systems
- Phlox theme Shortcodes and extra features plugin for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, install backdoors, or completely compromise the WordPress site and potentially the server.
Likely Case
Site defacement, cookie/session theft leading to account takeover, or redirection to phishing/malware sites affecting visitors.
If Mitigated
Limited to authenticated users only, reducing exposure but still allowing privilege escalation from Contributor to higher roles.
🎯 Exploit Status
Exploitation requires authenticated access but is trivial once authenticated. Public proof-of-concept exists in the WordPress patch commit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.16.4
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3161415/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Phlox theme Shortcodes and extra features'. 4. Click 'Update Now' if available, or manually update to version 2.16.4+. 5. Clear any caching plugins/CDN caches.
🔧 Temporary Workarounds
Remove vulnerable widgets
allDisable or remove the Modern Heading and Icon Picker widgets from Elementor if patching isn't immediately possible.
Restrict user roles
allTemporarily remove Contributor-level access or limit who can create/edit posts.
🧯 If You Can't Patch
- Implement a Web Application Firewall (WAF) with XSS protection rules
- Disable the entire auxin-elements plugin until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for 'Phlox theme Shortcodes and extra features' version 2.16.3 or lower.Check Version:
wp plugin list --name='auxin-elements' --field=versionVerify Fix Applied:
Confirm plugin version is 2.16.4 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with 'url' parameter containing script tags
- Multiple page edits by Contributor users
Network Indicators:
- Outbound connections to suspicious domains from your WordPress site
- Unexpected JavaScript loading from your domain
SIEM Query:
source="wordpress.log" AND ("auxin-elements" OR "heading-modern" OR "icon.php") AND ("url=" OR "script" OR "onerror")🔗 References
- https://plugins.trac.wordpress.org/browser/auxin-elements/trunk/includes/elementor/widgets/heading-modern.php#L1168
- https://plugins.trac.wordpress.org/browser/auxin-elements/trunk/includes/elementor/widgets/heading-modern.php#L1205
- https://plugins.trac.wordpress.org/browser/auxin-elements/trunk/includes/elementor/widgets/icon.php#L397
- https://plugins.trac.wordpress.org/changeset/3161415/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/09316a23-3a99-47f2-9c3f-795dc0a4a792?source=cve
