Vulnerability Details : CVE-2023-7064
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 2.15.2 via deserialization of untrusted input from the vulnerable 'id' parameter in the 'auxin_template_control_importer' function. This makes it possible for authenticated attackers able to upload a separate PHAR payload as an image file to inject a PHP Object, though the action itself is available to subscribers. No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.
Vulnerability category: Execute code
Products affected by CVE-2023-7064
Please log in to view affected product information.
Exploit prediction scoring system (EPSS) score for CVE-2023-7064
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 11 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-7064
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
Wordfence | 2024-05-02 |
References for CVE-2023-7064
-
https://www.wordfence.com/threat-intel/vulnerabilities/id/f0882205-3037-4ada-9e44-ddd55d88fcb1?source=cve
Shortcodes and extra features for Phlox theme <= 2.15.2 - Authenticated (Subscriber+) PHP Object Injection via auxin_template_control_importer
-
https://wordpress.org/plugins/auxin-elements/
Shortcodes and extra features for Phlox theme – WordPress plugin | WordPress.org
Jump to