CVE-2024-50500
Published: 03 February 2025
Summary
CVE-2024-50500 is a medium-severity Missing Authorization (CWE-862) vulnerability in Averta Shortcodes And Extra Features For Phlox Theme. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-50500 is a missing authorization vulnerability in the WordPress plugin "Shortcodes and extra features for Phlox theme," also known as auxin-elements. The flaw allows exploiting incorrectly configured access control security levels and affects all versions from n/a through 2.17.4. It is classified under CWE-862 (Missing Authorization) with a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating medium severity due to low-privilege requirements and network accessibility.
An attacker with low privileges, such as an authenticated user with basic access like a subscriber or contributor, can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation enables limited integrity impacts (I:L), such as unauthorized modifications to plugin functionality or site elements, without affecting confidentiality or availability.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/auxin-elements/vulnerability/wordpress-phlox-core-elements-plugin-2-17-2-broken-access-control-vulnerability?_s_id=cve details the vulnerability, with mitigation centered on updating the auxin-elements plugin to a version beyond 2.17.4.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-44627
Vulnerability details
Missing Authorization vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shortcodes and extra features for Phlox theme: from n/a through <= 2.17.4.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authorization (CWE-862) in a public-facing WordPress plugin directly enables remote exploitation by low-privileged authenticated users to perform unauthorized modifications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations preventing low-privilege users from exploiting missing authorization checks in the plugin.
Requires timely flaw remediation by updating the vulnerable auxin-elements plugin beyond version 2.17.4.
Limits privileges to the minimum necessary, reducing the scope of unauthorized modifications exploitable by low-privilege authenticated users.