CVE-2025-13215
Unknown Unknown - Not Provided
Information Exposure in Phlox Theme Shortcodes Plugin Allows Draft Post Disclosure

Publication date: 2026-01-06

Last updated on: 2026-01-06

Assigner: Wordfence

Description
The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 2.17.13 via the auxels_ajax_search due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract titles of draft posts that they should not have access to.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-06
Last Modified
2026-01-06
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-13215
EUVD
EUVD-2026-1073
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
unknown_vendor phlox_theme_plugin to 2.17.13 (inc)
unknown_vendor auxin_elements *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Shortcodes and extra features for Phlox theme plugin for WordPress, specifically in the auxels_ajax_search AJAX handler. Due to insufficient restrictions on which posts can be included, unauthenticated attackers can exploit this flaw to extract titles of draft posts that they should not have access to. Essentially, the plugin does not properly restrict access to certain post data during AJAX search requests, leading to information exposure. [2]

Impact Analysis

The impact of this vulnerability is information exposure. An attacker without authentication can retrieve titles of draft posts that are meant to be private or unpublished. This could lead to leakage of sensitive or confidential information that was not intended for public viewing, potentially harming privacy or revealing internal content prematurely.

Detection Guidance

This vulnerability can be detected by monitoring AJAX requests to the auxels_ajax_search handler in the Auxin Elements WordPress plugin. You can look for unusual or unauthorized AJAX requests that attempt to extract draft post titles. For detection on the system, inspecting web server logs for POST requests to admin-ajax.php with the action parameter set to auxels_ajax_search may help. Example command to search web server logs (assuming Apache logs): grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=auxels_ajax_search'. Additionally, using tools like curl to simulate such requests and observe if draft post titles are returned can help confirm the vulnerability. [2]

Mitigation Strategies

Immediate mitigation steps include updating the Shortcodes and extra features for Phlox theme plugin to a version later than 2.17.13 where the vulnerability is fixed. If an update is not immediately possible, restrict access to admin-ajax.php or the auxels_ajax_search AJAX handler via web application firewall rules or server configuration to block unauthenticated requests. Additionally, ensure that nonce verification and input sanitization are properly enforced in the AJAX handlers to prevent unauthorized access. [2]

Compliance Impact

The vulnerability allows unauthenticated attackers to extract titles of draft posts that they should not have access to, leading to information exposure. This unauthorized disclosure of potentially sensitive or confidential information could negatively impact compliance with data protection regulations such as GDPR or HIPAA, which require safeguarding of personal and sensitive data against unauthorized access. However, the provided resources do not explicitly discuss compliance implications. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-13215. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart