Shortcodes and extra features for Phlox theme < 2.17.14 – Unauthenticated Draft Posts Information Exposure | CVE 2025-13215 | Plugin Vulnerabilities

Description

The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to.

Affects Plugins

Fixed in 2.17.14

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/7f47ab91-7d91-4231-91ef-66c556ad8496

Classification

Type

SENSITIVE DATA DISCLOSURE

OWASP top 10

A3: Sensitive Data Exposure

CWE

CVSS

Miscellaneous

Original Researcher

Nguyen C

Verified

No

WPVDB ID

86ca4930-fdb1-4f8d-9b17-0c3f191a18c9

Timeline

Publicly Published

2026-01-05 (about 5 months ago)

Added

2026-01-05 (about 5 months ago)

Last Updated

2026-01-06 (about 5 months ago)

Other

Published

Title

Published

2026-04-23

Title

WSMS (formerly WP SMS) – SMS & MMS Notifications with OTP and 2FA for WooCommerce < 7.2.2 - Authenticated (Subscriber+) Information Exposure

Published

2024-08-28

Title

GiveWP < 3.16.0 - Unauthenticated Full Path Disclosure

Published

2025-12-15

Title

Pixel Manager for WooCommerce < 1.52.0 - Unauthenticated Information Exposure

Published

2024-07-12

Title

Zephyr Project Manager < 3.3.100 - Unauthenticated Information Exposure

Published

2022-01-14

Title

Futurio Extra < 1.6.3 - Subscriber+ User Email Address Disclosure