Stored Cross-Site Scripting Vulnerability in Phlox Theme Plugin for WordPress

CVE-2024-9545

6.4MEDIUM

Key Information

Vendor: Averta
Status: Shortcodes And Extra Features For Phlox Theme
Vendor: CVE Published:; 21 December 2024

Summary

The Phlox theme plugin for WordPress contains a critical Stored Cross-Site Scripting vulnerability (CVE-2024-9545) that affects all versions up to and including 2.16.4. This security flaw arises from inadequate input sanitization and output escaping in the plugin's aux_contact_box and aux_gmaps shortcodes. Authenticated attackers with contributor-level privileges can exploit this vulnerability to inject arbitrary web scripts into pages, resulting in potential malicious code execution whenever users access those pages. It is crucial for users to update to the latest version of the plugin to mitigate the risk associated with this vulnerability.

Affected Version(s)

Shortcodes and extra features for Phlox theme <= 2.16.4

Refferences

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/auxin-elements...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Dec 21, 2024
Vulnerability Reserved
Oct 4, 2024

Collectors

NVD DatabaseMitre Database

Credit

David Gallagher