Description
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to.
Published: 2026-01-06
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Exposure
Action: Apply Patch
AI Analysis

Impact

The Shortcodes and extra features for Phlox theme plugin for WordPress allows unauthenticated users to retrieve the titles of draft posts through the auxels_ajax_search AJAX endpoint. An attacker can issue a simple HTTP request to the endpoint, observe the response, and capture the draft titles that should remain private. This vulnerability is a classic information‑exposure flaw (CWE-200) that can reveal sensitive development content to anyone on the internet.

Affected Systems

WordPress sites running the Averta "Shortcodes and extra features for Phlox theme" plugin version 2.17.13 or earlier are affected. The flaw resides in the AJAX handler included in the plugin’s public sources and is not limited by authentication or user role checks.

Risk and Exploitability

The CVSS base score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% reflects a low but non‑zero likelihood of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog, suggesting no known active exploitation. Attackers can exploit the flaw remotely without credentials by simply sending a request to the auxels_ajax_search endpoint, meaning successful exploitation is straightforward for motivated adversaries. Nonetheless, the path to compromise is limited to the AJAX request and the data exposed is only draft post titles, not full content.

Generated by OpenCVE AI on April 21, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Averta Shortcodes and extra features for Phlox theme plugin to a version newer than 2.17.13 where the AJAX handler enforces authentication before returning post data
  • If an immediate upgrade is not feasible, disable the auxels_ajax_search endpoint by removing or disabling the related hook in the plugin’s code or by configuring the plugin settings to hide the advanced search feature
  • As a temporary measure, restrict access to the frontend‑ajax.php script using web‑server rules or security plugins so that only authenticated users can request it, thereby preventing unauthenticated data leakage

Generated by OpenCVE AI on April 21, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 06 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Averta
Averta shortcodes And Extra Features For Phlox Theme
Wordpress
Wordpress wordpress
Vendors & Products Averta
Averta shortcodes And Extra Features For Phlox Theme
Wordpress
Wordpress wordpress

Tue, 06 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to.
Title Shortcodes and extra features for Phlox theme <= 2.17.13 - Unauthenticated Draft Posts Information Exposure
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Averta Shortcodes And Extra Features For Phlox Theme
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:03:19.132Z

Reserved: 2025-11-14T19:32:41.238Z

Link: CVE-2025-13215

cve-icon Vulnrichment

Updated: 2026-01-06T14:34:08.065Z

cve-icon NVD

Status : Deferred

Published: 2026-01-06T07:15:42.663

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-13215

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T17:00:12Z

Weaknesses