CVE-2025-13215

Shortcodes and extra features for Phlox theme <= 2.17.13 - Unauthenticated Draft Posts Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
2.17.14
Patched in
1d
Time to patch

Description

The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=2.17.13
PublishedJanuary 5, 2026
Last updatedJanuary 6, 2026
Affected pluginauxin-elements

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan: CVE-2025-13215 ## 1. Vulnerability Summary The **Shortcodes and extra features for Phlox theme (auxin-elements)** plugin for WordPress is vulnerable to **Unauthenticated Information Exposure** via the `auxels_ajax_search` AJAX action. The vulnerability exists because t…

Show full research plan

Exploitation Research Plan: CVE-2025-13215

1. Vulnerability Summary

The Shortcodes and extra features for Phlox theme (auxin-elements) plugin for WordPress is vulnerable to Unauthenticated Information Exposure via the auxels_ajax_search AJAX action. The vulnerability exists because the search handler fails to properly restrict the post_status of the items returned in search results. An unauthenticated attacker can query the AJAX endpoint to retrieve titles (and potentially other metadata) of draft posts, which should be restricted to authenticated users with appropriate permissions.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: auxels_ajax_search (and nopriv_auxels_ajax_search)
  • HTTP Method: GET or POST
  • Vulnerable Parameter: s (the search term)
  • Authentication: None (Unauthenticated)
  • Preconditions:
    1. The plugin auxin-elements must be active.
    2. At least one draft post must exist on the site for information to be exposed.

3. Code Flow

  1. Entry Point: The plugin registers the AJAX handler in its initialization phase (likely in an init or plugins_loaded hook).
  2. Registration: add_action( 'wp_ajax_auxels_ajax_search', array( $this, 'auxels_ajax_search' ) ); and add_action( 'wp_ajax_nopriv_auxels_ajax_search', array( $this, 'auxels_ajax_search' ) );.
  3. Handler Logic: The function auxels_ajax_search (likely located in includes/classes/class-auxin-ajax-handler.php or a search-specific component) retrieves the search query from $_REQUEST['s'].
  4. The Sink: The handler constructs a WP_Query or calls get_posts. In vulnerable versions (<= 2.17.13), the query arguments do not strictly enforce 'post_status' => 'publish'. If post_status is omitted and the query is executed in a context that allows it (or if post_status is explicitly allowed to be set via parameters), draft posts are included in the results returned to the unauthenticated user.

4. Nonce Acquisition Strategy

Based on typical Phlox theme and Auxin Elements patterns, the auxels_ajax_search action likely requires a nonce for validation via check_ajax_referer or wp_verify_nonce.

  • Nonce Action Name: auxin-elements-nonce or auxin-nonce (inferred).
  • Localization Key: The plugin typically localizes scripts under the global object auxin_params or auxin_elements_vars.
  • Strategy:
    1. Identify a page that uses Phlox search functionality. If not present, create a test page with a likely shortcode like [aux_search].
    2. Navigate to the page using browser_navigate.
    3. Use browser_eval to extract the nonce from the localized JavaScript variable.

JavaScript Extraction Payload:

// Likely variable names for Phlox/Auxin
window.auxin_params?.nonce || window.auxin_elements_vars?.nonce || window.auxin_script_params?.nonce

5. Exploitation Strategy

The goal is to search for a string known to be in a draft post and observe its inclusion in the AJAX response.

Step 1: Discover the Endpoint and Parameters

Confirm the exact AJAX action and required parameters by inspecting the plugin source or front-end JS.

Step 2: Craft the Attack Request

Submit an AJAX request to the server searching for the title of a known draft post.

Request Details:

  • URL: http://<target>/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=auxels_ajax_search&s=SECRET_DRAFT&nonce=<EXTRACTED_NONCE>
    
    (Note: If the nonce check is absent or weak, the nonce parameter may be optional or any value.)

Step 3: Parse the Response

The response is expected to be a JSON object containing search results. Check the result items for the title of the draft post.

6. Test Data Setup

To verify the vulnerability, the following environment state is required:

  1. Target Plugin: Install and activate auxin-elements version 2.17.13.
  2. Draft Content: Create a draft post with a unique, identifiable title:
    wp post create --post_type=post --post_title="SECRET_DRAFT_PHLOX_2025" --post_status=draft
    
  3. Public Page for Nonce: Create a page that enqueues the search scripts:
    wp post create --post_type=page --post_status=publish --post_content='[aux_search]' --post_title="Search Page"
    

7. Expected Results

  • Success: The HTTP response from admin-ajax.php contains the string "SECRET_DRAFT_PHLOX_2025".
  • Failure: The response returns no results, an error message, or only includes "published" posts.

8. Verification Steps

  1. Confirm Post Status: Use WP-CLI to verify the test post is indeed a draft.
    wp post list --post_status=draft --fields=post_title
    
  2. Check Access: Verify that the title is NOT visible on the standard public search results page /index.php?s=SECRET_DRAFT (to confirm it is not accidentally published).
  3. Analyze AJAX Response: Ensure the JSON response structure is providing more than just counts (e.g., providing actual titles).

9. Alternative Approaches

  • Parameter Manipulation: Try adding post_status=draft or post_status[]=draft&post_status[]=publish to the AJAX request if the s parameter alone doesn't trigger the leak.
  • Generic Nonces: If auxin-nonce is not found, check if the theme uses the standard WordPress REST API nonce wp_rest or if the check is entirely missing by omitting the nonce parameter.
  • REST API Check: Some Phlox elements use the REST API. If the AJAX endpoint is patched, check for a similar vulnerability in /wp-json/auxin/v1/search.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Shortcodes and extra features for Phlox theme (auxin-elements) plugin for WordPress is vulnerable to unauthenticated information exposure through its AJAX search functionality. Due to a failure to restrict search results to published content, attackers can retrieve the titles of draft posts by querying the 'auxels_ajax_search' action.

Security Fix

--- a/includes/classes/class-auxin-ajax-handler.php
+++ b/includes/classes/class-auxin-ajax-handler.php
@@ -24,6 +24,7 @@
     $args = array(
         's'              => $search_query,
         'posts_per_page' => 10,
+        'post_status'    => 'publish',
     );
 
     $query = new WP_Query( $args );

Exploit Outline

1. Locate a page on the target site that enqueues the Auxin search scripts to extract a valid AJAX nonce (commonly found in the 'auxin_params' or 'auxin_elements_vars' JavaScript objects). 2. Send a POST request to '/wp-admin/admin-ajax.php' using the 'auxels_ajax_search' action. 3. Provide the 's' parameter with a search term likely to appear in a draft post and include the extracted nonce. 4. Inspect the JSON response to find titles and metadata of posts that have a 'draft' status, which are normally hidden from public view.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.