WordPress Plugin Vulnerabilities

Shortcodes and extra features for Phlox theme < 2.15.8 - Subscriber+ Template Import

Description

The plugin is vulnerable to unauthorized access due to a missing capability check, allowing authenticated attackers, with subscriber-level access and above, to import templates.

Affects Plugins

Plugin icon
auxin-elements
Fixed in 2.15.8

References

CVE
CVE-2024-31099
URL
https://patchstack.com/database/vulnerability/auxin-elements/wordpress-phlox-core-elements-plugin-2-15-5-broken-access-control-vulnerability

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Rafie Muhammad
Verified
No
WPVDB ID
5c6faa84-f33d-4d3c-8397-1e4add1f7ff3

Timeline

Publicly Published
2024-03-29 (about 2 years ago)
Added
2024-04-04 (about 2 years ago)
Last Updated
2024-08-12 (about 1 year ago)

Other

Published
Title
Published
2026-02-18
Title
TrueBooker < 1.1.7 - Missing Authorization
Published
2024-08-12
Title
Backup and Restore WordPress <= 1.50 - Missing Authorization
Published
2024-11-08
Title
Top Store < 1.5.5 - Authenticated (Subscriber+) Arbitrary Plugin Installation/Activation
Published
2023-12-26
Title
ProjectHuddle Client Site < 1.0.35 - Missing Authorization via ph_child_ajax_notice_handler
Published
2024-11-15
Title
Customer Reviews for WooCommerce < 5.62.0 - Missing Authorization to Authenticated (Subscriber+) Import Cancellation