Shortcodes and extra features for Phlox theme <= 2.17.13 - Unauthenticated Draft Posts Information Exposure
Description
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:NTechnical Details
<=2.17.13Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-13215 ## 1. Vulnerability Summary The **Shortcodes and extra features for Phlox theme (auxin-elements)** plugin for WordPress is vulnerable to **Unauthenticated Information Exposure** via the `auxels_ajax_search` AJAX action. The vulnerability exists because t…
Show full research plan
Exploitation Research Plan: CVE-2025-13215
1. Vulnerability Summary
The Shortcodes and extra features for Phlox theme (auxin-elements) plugin for WordPress is vulnerable to Unauthenticated Information Exposure via the auxels_ajax_search AJAX action. The vulnerability exists because the search handler fails to properly restrict the post_status of the items returned in search results. An unauthenticated attacker can query the AJAX endpoint to retrieve titles (and potentially other metadata) of draft posts, which should be restricted to authenticated users with appropriate permissions.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin-ajax.php - Action:
auxels_ajax_search(andnopriv_auxels_ajax_search) - HTTP Method:
GETorPOST - Vulnerable Parameter:
s(the search term) - Authentication: None (Unauthenticated)
- Preconditions:
- The plugin
auxin-elementsmust be active. - At least one draft post must exist on the site for information to be exposed.
- The plugin
3. Code Flow
- Entry Point: The plugin registers the AJAX handler in its initialization phase (likely in an
initorplugins_loadedhook). - Registration:
add_action( 'wp_ajax_auxels_ajax_search', array( $this, 'auxels_ajax_search' ) );andadd_action( 'wp_ajax_nopriv_auxels_ajax_search', array( $this, 'auxels_ajax_search' ) );. - Handler Logic: The function
auxels_ajax_search(likely located inincludes/classes/class-auxin-ajax-handler.phpor a search-specific component) retrieves the search query from$_REQUEST['s']. - The Sink: The handler constructs a
WP_Queryor callsget_posts. In vulnerable versions (<= 2.17.13), the query arguments do not strictly enforce'post_status' => 'publish'. Ifpost_statusis omitted and the query is executed in a context that allows it (or ifpost_statusis explicitly allowed to be set via parameters), draft posts are included in the results returned to the unauthenticated user.
4. Nonce Acquisition Strategy
Based on typical Phlox theme and Auxin Elements patterns, the auxels_ajax_search action likely requires a nonce for validation via check_ajax_referer or wp_verify_nonce.
- Nonce Action Name:
auxin-elements-nonceorauxin-nonce(inferred). - Localization Key: The plugin typically localizes scripts under the global object
auxin_paramsorauxin_elements_vars. - Strategy:
- Identify a page that uses Phlox search functionality. If not present, create a test page with a likely shortcode like
[aux_search]. - Navigate to the page using
browser_navigate. - Use
browser_evalto extract the nonce from the localized JavaScript variable.
- Identify a page that uses Phlox search functionality. If not present, create a test page with a likely shortcode like
JavaScript Extraction Payload:
// Likely variable names for Phlox/Auxin
window.auxin_params?.nonce || window.auxin_elements_vars?.nonce || window.auxin_script_params?.nonce
5. Exploitation Strategy
The goal is to search for a string known to be in a draft post and observe its inclusion in the AJAX response.
Step 1: Discover the Endpoint and Parameters
Confirm the exact AJAX action and required parameters by inspecting the plugin source or front-end JS.
Step 2: Craft the Attack Request
Submit an AJAX request to the server searching for the title of a known draft post.
Request Details:
- URL:
http://<target>/wp-admin/admin-ajax.php - Method:
POST - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
(Note: If the nonce check is absent or weak, the nonce parameter may be optional or any value.)action=auxels_ajax_search&s=SECRET_DRAFT&nonce=<EXTRACTED_NONCE>
Step 3: Parse the Response
The response is expected to be a JSON object containing search results. Check the result items for the title of the draft post.
6. Test Data Setup
To verify the vulnerability, the following environment state is required:
- Target Plugin: Install and activate
auxin-elementsversion 2.17.13. - Draft Content: Create a draft post with a unique, identifiable title:
wp post create --post_type=post --post_title="SECRET_DRAFT_PHLOX_2025" --post_status=draft - Public Page for Nonce: Create a page that enqueues the search scripts:
wp post create --post_type=page --post_status=publish --post_content='[aux_search]' --post_title="Search Page"
7. Expected Results
- Success: The HTTP response from
admin-ajax.phpcontains the string"SECRET_DRAFT_PHLOX_2025". - Failure: The response returns no results, an error message, or only includes "published" posts.
8. Verification Steps
- Confirm Post Status: Use WP-CLI to verify the test post is indeed a draft.
wp post list --post_status=draft --fields=post_title - Check Access: Verify that the title is NOT visible on the standard public search results page
/index.php?s=SECRET_DRAFT(to confirm it is not accidentally published). - Analyze AJAX Response: Ensure the JSON response structure is providing more than just counts (e.g., providing actual titles).
9. Alternative Approaches
- Parameter Manipulation: Try adding
post_status=draftorpost_status[]=draft&post_status[]=publishto the AJAX request if thesparameter alone doesn't trigger the leak. - Generic Nonces: If
auxin-nonceis not found, check if the theme uses the standard WordPress REST API noncewp_restor if the check is entirely missing by omitting thenonceparameter. - REST API Check: Some Phlox elements use the REST API. If the AJAX endpoint is patched, check for a similar vulnerability in
/wp-json/auxin/v1/search.
Summary
The Shortcodes and extra features for Phlox theme (auxin-elements) plugin for WordPress is vulnerable to unauthenticated information exposure through its AJAX search functionality. Due to a failure to restrict search results to published content, attackers can retrieve the titles of draft posts by querying the 'auxels_ajax_search' action.
Security Fix
@@ -24,6 +24,7 @@ $args = array( 's' => $search_query, 'posts_per_page' => 10, + 'post_status' => 'publish', ); $query = new WP_Query( $args );
Exploit Outline
1. Locate a page on the target site that enqueues the Auxin search scripts to extract a valid AJAX nonce (commonly found in the 'auxin_params' or 'auxin_elements_vars' JavaScript objects). 2. Send a POST request to '/wp-admin/admin-ajax.php' using the 'auxels_ajax_search' action. 3. Provide the 's' parameter with a search term likely to appear in a draft post and include the extracted nonce. 4. Inspect the JSON response to find titles and metadata of posts that have a 'draft' status, which are normally hidden from public view.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.