CVE-2025-63071

MEDIUM
2025-12-09 [email protected]
5.3
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Apr 01, 2026 - 15:22 vuln.today
CVE Published
Dec 09, 2025 - 16:18 nvd
MEDIUM 5.3

Tags

WordPress PHP Information Disclosure

Description

Insertion of Sensitive Information Into Sent Data vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Retrieve Embedded Sensitive Data.This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.15.

Analysis

Insertion of sensitive information into sent data in auxin-elements WordPress plugin versions up to 2.17.15 allows unauthenticated remote attackers to retrieve embedded sensitive data through network-accessible responses. The vulnerability exposes information with low confidentiality impact and affects the Shortcodes and extra features for Phlox theme plugin across all versions through 2.17.15, with EPSS scoring indicating 0.04% likelihood of exploitation.

Technical Context

The vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a weakness where an application includes sensitive information in outgoing communications intended for processing by external entities. In the context of the auxin-elements WordPress plugin, this occurs within the shortcode processing logic of the Phlox theme framework. WordPress plugins with this weakness typically expose sensitive data through plugin REST API endpoints, AJAX handlers, or shortcode rendering that may inadvertently leak configuration data, user information, or authentication tokens in HTTP responses. The affected component processes theme shortcodes and additional features that interact with client-side requests, creating an exposure vector for sensitive information embedded in returned data.

Affected Products

The Shortcodes and extra features for Phlox theme plugin (auxin-elements) for WordPress is affected in all versions from the initial release through version 2.17.15. The vulnerability impacts the plugin's shortcode processing and theme feature modules. Vendors and administrators should consult the Patchstack database entry at https://patchstack.com/database/Wordpress/Plugin/auxin-elements/vulnerability/wordpress-shortcodes-and-extra-features-for-phlox-theme-plugin-2-17-12-sensitive-data-exposure-vulnerability?_s_id=cve for detailed version tracking and confirmation.

Remediation

Update the auxin-elements plugin to a patched version immediately once released by the vendor. Check the WordPress plugin repository and Patchstack database for availability of version 2.17.16 or later. As an interim measure, if the plugin is not actively used for critical shortcode functionality, consider temporarily deactivating it until a patch is verified and deployed. Site administrators should also audit plugin configurations and any sensitive data that may have been logged or cached, then verify no information leakage is occurring through plugin-generated REST API responses or AJAX endpoints by monitoring network traffic. Refer to the vendor advisory at https://patchstack.com/database/Wordpress/Plugin/auxin-elements for updated patch availability and detailed remediation guidance.

Priority Score

27
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +26
POC: 0

Share

CVE-2025-63071 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy