WWordPress Vulnerability Database

Hong Kong Security Advisory XSS in Phlox(CVE202512379)

Cross Site Scripting (XSS) in WordPress Shortcodes and extra features for Phlox theme Plugin
0
Shares
0
0
0
0
Plugin Name Shortcodes and extra features for Phlox theme
Type of Vulnerability Cross Site Scripting (XSS)
CVE Number CVE-2025-12379
Urgency Low
CVE Publish Date 2026-02-02
Source URL CVE-2025-12379

Authenticated Contributor Stored XSS in “Shortcodes and extra features for Phlox theme” (Auxin Elements) — What WordPress Site Owners Must Do Now

Summary

  • CVE: CVE-2025-12379
  • Affected plugin: Shortcodes and extra features for Phlox theme (Auxin Elements) — versions ≤ 2.17.13
  • Vulnerability type: Stored Cross-Site Scripting (XSS) via Modern Heading Widget
  • Required privilege: Contributor (authenticated)
  • Interaction: User interaction required (rendering page or admin click)
  • CVSS v3.1 base score: 6.5 (Medium)
  • Fixed in: 2.17.14

As a Hong Kong-based security expert team advising WordPress site operators, this advisory gives a clear technical explanation of the issue, who is at risk, likely attack scenarios, and concise remediation and recovery steps you can apply immediately.

1 — Quick summary for site owners (what to do right now)

  1. Check whether the plugin “Shortcodes and extra features for Phlox theme” (Auxin Elements) is installed. Verify the plugin version at WP Admin → Plugins.
  2. Update the plugin to version 2.17.14 or later immediately. This is the highest priority action.
  3. If you cannot update immediately, temporarily disable the plugin or restrict Contributor capability to create/edit the affected widget types. Audit or remove Modern Heading widgets created by low-privilege users.
  4. Run a full site malware scan and review recent edits to widgets and posts. Pay particular attention to HTML or script-like content in widget and heading fields.
  5. Enable or verify WAF (Web Application Firewall) rules where available to block stored XSS patterns and suspicious payloads in widget or post meta fields.

If time is limited: update the plugin first, then follow detection and cleanup guidance below.

2 — What was found (high-level technical description)

This vulnerability is a stored XSS in the Modern Heading widget provided by the plugin. An authenticated user with Contributor privileges can inject content into a widget form that the plugin stores and later outputs to frontend pages without sufficient escaping or sanitization. Because the payload is stored in the database and rendered when the page with the widget is loaded, the injected content can execute in the browsers of visitors — including editors and administrators who browse the site while logged in.

Key points:

  • Stored XSS means the payload persists in the site database and executes whenever rendered.
  • Contributor role is sufficient to store crafted content in a widget field.
  • The attacker must have or obtain Contributor access or trick a Contributor into adding the content.
  • Sites with open registration or many low-trust contributors are at greater risk.

3 — Why this vulnerability matters

Despite requiring only Contributor privileges, stored XSS is dangerous because it can target administrative users who visit the front-end while authenticated. Risks include:

  • Session cookie theft and unauthorized actions performed in the context of privileged users.
  • Defacement, spam injection, redirects, or delivery of further malware.
  • Establishing persistent footholds by injecting scripts that create additional content or accounts.

Typical attacker flow:

  1. Add a malicious Modern Heading containing script payload.
  2. Lure an admin/editor to the page or wait until a privileged user visits the page.
  3. Payload executes, attempts credential/token theft, or performs privileged actions.

4 — Exploitability and prerequisites

Exploit chain summary:

  • Attacker needs to create or edit a Modern Heading widget via the plugin UI (Contributor role suffices).
  • The plugin stores the widget content to the database.
  • When the page containing the widget is rendered, the stored content is output without proper HTML escaping and can be executed by the browser.
  • Some scenarios require social engineering to get an admin/editor to click a link; others are trivial on a public page frequented by logged-in users.

CVSS reasoning (6.5 — Medium): network attack vector, low attack complexity, low privileges required, user interaction required, and potential for scope change when attacker targets privileged sessions.

5 — Immediate remediation steps (for all WordPress site owners)

  1. Update the plugin to 2.17.14 or later via WP Admin → Plugins or download from the official source.
  2. If you cannot update immediately:
    • Temporarily disable the plugin from Plugins → Installed Plugins, or
    • Restrict Contributors from creating/modifying widgets, and remove or audit Modern Heading widgets added since the disclosure date.
  3. Rotate passwords for administrative accounts and any users who may have viewed suspicious pages while logged in.
  4. Revoke and reissue API keys, application passwords, or tokens that may have been exposed.
  5. If you detect active malicious scripts, consider taking the site offline (maintenance mode) while cleaning.

For environments managing many sites, apply a virtual patch at the WAF level to block suspicious requests against widget save endpoints and known payload patterns until updates are applied.

6 — Detection: what to look for (indicators of compromise)

  • Review widgets (Appearance → Widgets or Full Site Editor) for odd HTML, inline scripts, or encoded strings in Modern Heading fields.
  • Inspect wp_options, wp_posts, and wp_postmeta for unexpected HTML content or script tags.
  • Look for newly created widgets without clear authorship or headings containing