CVE-2023-7064
HIGHShortcodes and extra features for Phlox theme < 2.17.5 - Authenticated PHP Object Injection via 'id' Parameter
Title source: llmDescription
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.17.5 via deserialization of untrusted input from the vulnerable 'id' parameter in the 'auxin_template_control_importer' function. This makes it possible for authenticated attackers able to upload a separate PHAR payload as an image file to inject a PHP Object, though the action itself is available to subscribers. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
References (5)
Core 5
Core References
Scores
CVSS v3
7.5
EPSS
0.0087
EPSS Percentile
54.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-502
Status
published
Products (2)
averta/Shortcodes and extra features for Phlox theme
< 2.17.5
averta/shortcodes_and_extra_features_for_phlox_theme
< 2.17.6
Published
May 02, 2024
Tracked Since
Feb 18, 2026