CVE-2023-7064: 
WordPress vulnerability analysis and mitigation

The Shortcodes and extra features for Phlox theme plugin for WordPress is vulnerable to PHP Object Injection (CVE-2023-7064) in all versions up to and including 2.15.2. The vulnerability was discovered in the 'auxintemplatecontrol_importer' function through the 'id' parameter (NVD).

The vulnerability exists due to deserialization of untrusted input from the 'id' parameter in the 'auxintemplatecontrol_importer' function. The issue allows authenticated attackers with the ability to upload PHAR files as images to inject PHP Objects. While the vulnerable action is available to subscribers, no POP (Property Oriented Programming) chain is present in the vulnerable plugin itself. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (Wordfence).

If a POP chain is present via an additional plugin or theme installed on the target system, this vulnerability could allow attackers to delete arbitrary files, retrieve sensitive data, or execute code on the affected system (NVD).

Users should update the Shortcodes and extra features for Phlox theme plugin to a version newer than 2.15.2. The latest version (2.17.4) includes security improvements that address this vulnerability (WordPress Plugin).