CVE-2025-12379
📋 TL;DR
This stored XSS vulnerability in the Phlox theme's Shortcodes and extra features plugin allows authenticated WordPress users with Contributor-level access or higher to inject malicious scripts into website pages. The scripts execute whenever users view the compromised pages, potentially affecting all visitors to vulnerable WordPress sites.
💻 Affected Systems
- Phlox theme Shortcodes and extra features plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, redirect users to malicious sites, deface websites, or perform actions on behalf of authenticated users, potentially leading to full site compromise.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal visitor session data, display unwanted content, or redirect users to phishing pages.
If Mitigated
With proper input validation and output escaping, the vulnerability is prevented, and only legitimate content is displayed to users.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once an attacker has contributor-level credentials.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.17.14 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3429103/auxin-elements/trunk/includes/elementor/widgets/heading-modern.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Phlox theme Shortcodes and extra features' plugin. 4. Click 'Update Now' if available, or manually update to version 2.17.14+. 5. Verify the update completed successfully.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the plugin until patched
wp plugin deactivate auxin-elements
wp plugin delete auxin-elements
Restrict user roles
allTemporarily restrict contributor-level access or review user permissions
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block XSS payloads in 'tag' and 'title_tag' parameters
- Regularly audit user accounts and remove unnecessary contributor-level access
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for 'Phlox theme Shortcodes and extra features' version 2.17.13 or earlierCheck Version:
wp plugin get auxin-elements --field=versionVerify Fix Applied:
Confirm plugin version is 2.17.14 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress admin-ajax.php with 'tag' or 'title_tag' parameters containing script tags
- Multiple failed login attempts followed by successful contributor-level login
Network Indicators:
- HTTP requests with JavaScript payloads in 'tag' or 'title_tag' parameters
- Unexpected outbound connections from WordPress site to external domains
SIEM Query:
source="wordpress.log" AND ("tag=<script" OR "title_tag=<script" OR "wp-admin/admin-ajax.php" AND "action=auxin" AND ("tag=" OR "title_tag="))🔗 References
- https://plugins.trac.wordpress.org/browser/auxin-elements/tags/2.17.12/includes/elementor/widgets/heading-modern.php#L1194
- https://plugins.trac.wordpress.org/changeset/3429103/auxin-elements/trunk/includes/elementor/widgets/heading-modern.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/1144e0d9-692e-45a5-ac63-bcdd64a8bd8a?source=cve
