CVE-2023-7064

Name of the Vulnerable Software and Affected Versions Shortcodes and extra features for Phlox theme plugin for WordPress versions up to, and including, 2.15.2

Description The issue concerns PHP Object Injection via deserialization of untrusted input from the vulnerable id parameter in the auxin template control importer function. This allows authenticated attackers to inject a PHP Object by uploading a separate PHAR payload as an image file, potentially enabling them to delete arbitrary files, retrieve sensitive data, or execute code if a POP chain is present via an additional plugin or theme.

Recommendations For versions up to, and including, 2.15.2, update to a version that fixes the PHP Object Injection vulnerability to prevent exploitation. As a temporary workaround, consider restricting access to the auxin template control importer function and the id parameter to minimize the risk of exploitation. Avoid using the id parameter in the affected function until the issue is resolved.