Cyber Resilience

CVE-2024-50500

Medium

Published: 03 February 2025

Published
03 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0005 17.1th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50500 is a medium-severity Missing Authorization (CWE-862) vulnerability in Averta Shortcodes And Extra Features For Phlox Theme. Its CVSS base score is 4.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-50500 is a missing authorization vulnerability in the WordPress plugin "Shortcodes and extra features for Phlox theme," also known as auxin-elements. The flaw allows exploiting incorrectly configured access control security levels and affects all versions from n/a through 2.17.4. It is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating medium severity due to low-privilege requirements and network accessibility.

An attacker with low privileges, such as an authenticated user with basic access like a subscriber or contributor, can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation enables limited integrity impacts (I:L), such as unauthorized modifications to plugin functionality or site elements, without affecting confidentiality or availability.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/auxin-elements/vulnerability/wordpress-phlox-core-elements-plugin-2-17-2-broken-access-control-vulnerability?_s_id=cve details the vulnerability, with mitigation centered on updating the auxin-elements plugin to a version beyond 2.17.4.

EU & UK References

Vulnerability details

Missing Authorization vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authorization (CWE-862) in a public-facing WordPress plugin directly enables remote exploitation by low-privileged authenticated users to perform unauthorized modifications.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-45209Shared CWE-862
CVE-2026-25026Shared CWE-862
CVE-2026-42083Shared CWE-862
CVE-2026-0656Shared CWE-862
CVE-2026-24532Shared CWE-862
CVE-2025-13603Shared CWE-862
CVE-2025-69063Shared CWE-862
CVE-2026-3045Shared CWE-862
CVE-2025-67956Shared CWE-862
CVE-2025-41765Shared CWE-862

Affected Assets

averta
shortcodes and extra features for phlox theme
≤ 2.17.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations preventing low-privilege users from exploiting missing authorization checks in the plugin.

prevent

Requires timely flaw remediation by updating the vulnerable auxin-elements plugin beyond version 2.17.4.

prevent

Limits privileges to the minimum necessary, reducing the scope of unauthorized modifications exploitable by low-privilege authenticated users.

References