Description
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a combination of the 'tag' and ‘title_tag’ parameters in all versions up to, and including, 2.17.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-10
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting
Action: Apply Patch
AI Analysis

Impact

The Shortcodes and extra features for Phlox theme plugin for WordPress allows authenticated users with Contributor‑level access or higher to store malicious scripts through the 'tag' and 'title_tag' parameters used by the Modern Heading widget. This stored cross‑site scripting flaw is a classic input validation weakness (CWE‑79) that can lead to arbitrary script execution when a victim views the affected page, potentially compromising confidentiality, integrity, or leading to defacement. The impact is confined to pages where the malicious heading is rendered, but any user who visits those pages will have the injected code executed in their browser, allowing further attacks such as cookie theft or phishing.

Affected Systems

Shortcodes and extra features for Phlox theme plugin for WordPress, versions up to 2.17.13. All users running WordPress sites that have installed this plugin and have a Contributor‑level or higher role can be affected.

Risk and Exploitability

The CVSS score of 6.4 indicates a medium severity vulnerability. The EPSS score of less than 1% suggests a low exploitation likelihood at present. It is not listed in CISA KEV. Exploitation requires authenticated access and the ability to edit page content via the Modern Heading widget; the attacker must supply crafted 'tag' or 'title_tag' values that bypass the plugin’s limited sanitization.

Generated by OpenCVE AI on April 22, 2026 at 20:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Shortcodes and extra features for Phlox theme to the latest release (≥ 2.18) which removes the XSS flaw.
  • If an update cannot be applied immediately, limit Contributor or higher roles from editing page content or remove the Modern Heading widget entirely to deny the attack surface.
  • As a temporary workaround, edit the plugin files or apply a filter to strip or escape characters in the 'tag' and 'title_tag' parameters before rendering the heading.

Generated by OpenCVE AI on April 22, 2026 at 20:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 12 Jan 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 12 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Averta
Averta shortcodes And Extra Features For Phlox Theme
Wordpress
Wordpress wordpress
Vendors & Products Averta
Averta shortcodes And Extra Features For Phlox Theme
Wordpress
Wordpress wordpress

Sat, 10 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a combination of the 'tag' and ‘title_tag’ parameters in all versions up to, and including, 2.17.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Shortcodes and extra features for Phlox theme <= 2.17.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading Widget
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Averta Shortcodes And Extra Features For Phlox Theme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:14.421Z

Reserved: 2025-10-28T00:38:54.310Z

Link: CVE-2025-12379

cve-icon Vulnrichment

Updated: 2026-01-12T18:29:17.138Z

cve-icon NVD

Status : Deferred

Published: 2026-01-10T14:15:49.690

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12379

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T20:15:20Z

Weaknesses