Vulnerability in Phlox theme plugin allows attackers to inject PHP objects via deserialization of untrusted input
CVE-2023-7064

7.5HIGH

Key Information:

Vendor: Wordpress
Status: Shortcodes And Extra Features For Phlox Theme
Vendor: CVE Published:; 2 May 2024

Summary

The Phlox theme plugin for WordPress is affected by a PHP Object Injection vulnerability that allows authenticated attackers to exploit the deserialization of untrusted input from the 'id' parameter in the 'auxin_template_control_importer' function. Versions prior to 2.15.2 are susceptible, enabling attackers who can upload a separate PHAR payload as an image file to inject malicious PHP objects. Although no payload operation chain exists within the plugin itself, if a payload operation chain is introduced through other plugins or themes on the same system, it could lead to significant risks including arbitrary file deletion, unauthorized data retrieval, or code execution.

Affected Version(s)

Shortcodes and extra features for Phlox theme * <= 2.15.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/auxin-elements/

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Dec 21, 2023

Credit

Justin Gardner

Michael Brackett