WordPress Plugin Vulnerabilities

Shortcodes and extra features for Phlox theme < 2.17.6 - Subscriber+ PHP Object Injection

Description

The plugin is vulnerable to PHP Object Injection via deserialization of untrusted input from the vulnerable 'id' parameter in the 'auxin_template_control_importer' function. This makes it possible for authenticated attackers able to upload a separate PHAR payload as an image file to inject a PHP Object, though the action itself is available to subscribers. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.

Affects Plugins

Plugin icon
auxin-elements
Fixed in 2.17.6

References

CVE
CVE-2023-7064
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f0882205-3037-4ada-9e44-ddd55d88fcb1

Classification

Type
OBJECT INJECTION
OWASP top 10
A8: Insecure Deserialization
CWE
CWE-502
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Rhynorater, Michael Brackett
Verified
No
WPVDB ID
6b78eaae-dcd6-4062-b497-14adedcacf53

Timeline

Publicly Published
2024-04-15 (about 1 year ago)
Added
2024-04-16 (about 1 year ago)
Last Updated
2025-07-16 (about 8 months ago)

Other

Published
Title
Published
2025-04-09
Title
Job Board Manager <= 2.1.60 - Authenticated (Contributor+) PHP Object Injection
Published
2017-01-25
Title
CMS Commander Client <= 2.21 - Unauthenticated PHP Object Injection
Published
2025-04-15
Title
uListing <= 2.2.0 - Authenticated (Subscriber+) PHP Object Injection
Published
2025-12-25
Title
WpEvently < 5.0.9 - Authenticated (Contributor+) PHP Object Injection
Published
2024-11-20
Title
Grid View Gallery <= 1.0 - Authenticated (Editor+) PHP Object Injection