The vulnerability is an “Insertion of Sensitive Information Into Sent Data” flaw in the WordPress plugin Shortcodes and extra features for Phlox theme auxin‑elements. An attacker who can exercise the plugin’s functionality can cause the plugin to embed sensitive data into outgoing responses, giving the attacker the ability to read protected information that should not be exposed to the public. This flaw impacts confidentiality and can expose confidential site data such as stored API keys, database credentials, or other configuration secrets that the plugin stores or references in its content structures.

The issue affects the WordPress plugin Shortcodes and extra features for Phlox theme auxin‑elements, specifically all released versions up to and including 2.17.15. The vendor is averta, and the plugin is commonly installed in WordPress sites using the Phlox theme. Sites running any of these affected versions are potentially vulnerable.

The CVSS score is 5.3, indicating moderate severity. The EPSS score is less than 1%, signaling that the overall exploitation probability is low; the vulnerability is not currently listed in the CISA KEV catalog. The likely attack vector involves a remotely-controllable request to the plugin, often via a public endpoint or shortcode rendering, enabling retrieval of hidden data. While the exploitation does not provide access to arbitrary code execution or privilege escalation, the exposure of sensitive data can lead to significant damage, especially if the leaked information is valuable or if an attacker follows up with further attacks.