Vulnerabilities and security researches forauxin-elements auxin-elements

Direction: ascending

Jun 07, 2024

Shortcodes and extra features for Phlox theme # CVE-2023-37888

CVE, Research URL: CVE-2023-37888
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: May 17, 2024
Research Description: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in By Averta Shortcodes and extra features for Phlox theme allows PHP Local File Inclusion.This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.14.0.
Affected versions: max 2.15.0.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2024-1348

CVE, Research URL: CVE-2024-1348
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: May 02, 2024
Research Description: The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the custom JS parameter in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.15.8.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2023-50368

CVE, Research URL: CVE-2023-50368
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: Dec 14, 2023
Research Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Averta Shortcodes and extra features for Phlox theme allows Stored XSS.This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.15.2.
Affected versions: max 2.15.5.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2022-1910

CVE, Research URL: CVE-2022-1910
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: Jul 11, 2022
Research Description: The Shortcodes and extra features for Phlox WordPress plugin before 2.9.8 does not sanitise and escape a parameter before outputting it back in the response, leading to a Reflected Cross-Site Scripting
Affected versions: max 2.9.8.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2022-3359

CVE, Research URL: CVE-2022-3359
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: Dec 12, 2022
Research Description: The Shortcodes and extra features for Phlox theme WordPress plugin before 2.10.7 unserializes the content of an imported file, which could lead to PHP object injection when a user imports (intentionally or not) a malicious file and a suitable gadget chain is present on the blog.
Affected versions: max 2.9.14.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2024-1357

CVE, Research URL: CVE-2024-1357
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: Apr 16, 2024
Research Description: The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aux_timeline shortcode in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping on user supplied attributes such as thumb_mode and date_type. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.15.8.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2024-31099

CVE, Research URL: CVE-2024-31099
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: Apr 01, 2024
Research Description: Missing Authorization vulnerability in Averta Shortcodes and extra features for Phlox theme auxin-elements.This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.15.7.
Affected versions: max 2.15.8.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2024-1533

CVE, Research URL: CVE-2024-1533
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: May 02, 2024
Research Description: The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the HTML Element in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Requires Elementor and the Phlox theme to be installed.
Affected versions: max 2.15.8.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2023-7064

CVE, Research URL: CVE-2023-7064
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: May 02, 2024
Research Description: The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.15.2 via deserialization of untrusted input from the vulnerable 'id' parameter in the 'auxin_template_control_importer' function. This makes it possible for authenticated attackers able to upload a separate PHAR payload as an image file to inject a PHP Object, though the action itself is available to subscribers. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Affected versions: max 2.17.6.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2024-3341

CVE, Research URL: CVE-2024-3341
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: May 02, 2024
Research Description: The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'aux_gmaps' shortcode in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.15.8.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2024-3517

CVE, Research URL: CVE-2024-3517
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: May 02, 2024
Research Description: The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Accordion Widget in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access and higher, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.15.6.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2024-1396

CVE, Research URL: CVE-2024-1396
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: May 02, 2024
Research Description: The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘title_tag’ parameter in all versions up to, and including, 2.15.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.15.8.
Status: vulnerable

Oct 05, 2024

Shortcodes and extra features for Phlox theme # CVE-2024-8486

CVE, Research URL: CVE-2024-8486
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: Oct 05, 2024
Research Description: The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘url’ parameter in the Modern Heading and Icon Picker widgets all versions up to, and including, 2.16.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.16.4.
Status: vulnerable

Dec 22, 2024

Shortcodes and extra features for Phlox theme # CVE-2024-12588

CVE, Research URL: CVE-2024-12588
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: Dec 21, 2024
Research Description: The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Staff widget in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.17.3.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2024-9545

CVE, Research URL: CVE-2024-9545
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: Dec 21, 2024
Research Description: The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's aux_contact_box and aux_gmaps shortcodes in all versions up to, and including, 2.16.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: max 2.17.1.
Status: vulnerable

Feb 05, 2025

Shortcodes and extra features for Phlox theme # CVE-2024-50500

CVE, Research URL: CVE-2024-50500
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: Feb 03, 2025
Research Description: Missing Authorization vulnerability in By Averta Shortcodes and extra features for Phlox theme allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Shortcodes and extra features for Phlox theme: from n/a through 2.17.2.
Affected versions: max 2.17.5.
Status: vulnerable

Jan 11, 2026

Shortcodes and extra features for Phlox theme # CVE-2025-63071

CVE, Research URL: CVE-2025-63071
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: Dec 09, 2025
Research Description: Insertion of Sensitive Information Into Sent Data vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Retrieve Embedded Sensitive Data.This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.12.
Affected versions: max 2.17.12.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2025-13215

CVE, Research URL: CVE-2025-13215
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: Jan 06, 2026
Research Description: The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to.
Affected versions: max 2.17.14.
Status: vulnerable

Shortcodes and extra features for Phlox theme # CVE-2025-69016

CVE, Research URL: CVE-2025-69016
Home page URL: Security reports for Shortcodes and extra features for Phlox theme
Application: Shortcodes and extra features for Phlox theme
Date: Dec 30, 2025
Research Description: Missing Authorization vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.12.
Affected versions: max 2.17.12.
Status: vulnerable