CVE-2025-13215 is an information exposure vulnerability identified in the Shortcodes and extra features for Phlox theme plugin for WordPress, developed by averta. The vulnerability exists in all versions up to and including 2.17.13, specifically in the auxels_ajax_search feature. This feature fails to properly restrict access to draft posts, allowing unauthenticated attackers to query and extract the titles of draft posts that should remain private. The root cause is insufficient access control checks on which posts are included in the AJAX search results, violating the principle of least privilege and exposing sensitive unpublished content. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality only (C:L), without affecting integrity or availability. No known exploits have been reported in the wild as of the publication date (January 6, 2026). This vulnerability could be leveraged by attackers to gather intelligence about unpublished content, potentially aiding in further targeted attacks or corporate espionage. Since WordPress is widely used for content management, especially in Europe, this vulnerability poses a risk to organizations relying on the Phlox theme plugin for managing sensitive or draft content. The lack of a patch link indicates that users should monitor for updates or implement temporary access restrictions to mitigate risk.

The primary impact of CVE-2025-13215 is the unauthorized disclosure of sensitive information, specifically the titles of draft posts that are not yet published. For European organizations, this could lead to premature exposure of confidential business plans, intellectual property, or sensitive communications. Although the vulnerability does not allow modification or deletion of content, the confidentiality breach can facilitate social engineering, competitive intelligence gathering, or reputational damage. Organizations in sectors such as media, finance, legal, and government that use WordPress with the affected plugin are particularly vulnerable. The ease of exploitation (no authentication or user interaction required) increases the risk of automated scanning and data harvesting by attackers. While the vulnerability does not disrupt service availability or data integrity, the exposure of unpublished content can have significant operational and strategic consequences. Given the widespread use of WordPress in Europe and the popularity of the Phlox theme, the scope of affected systems is considerable, especially for organizations that have not updated their plugins or implemented strict content access controls.

1. Monitor for official patches or updates from averta for the Shortcodes and extra features for Phlox theme plugin and apply them promptly once available. 2. In the absence of an official patch, implement custom access control rules at the web server or WordPress level to restrict access to draft posts and AJAX search endpoints to authenticated users only. 3. Disable or restrict the auxels_ajax_search functionality if it is not essential to reduce the attack surface. 4. Conduct regular audits of WordPress plugins and themes to identify and remediate outdated or vulnerable components. 5. Employ Web Application Firewalls (WAF) with rules to detect and block suspicious requests targeting AJAX search endpoints. 6. Educate content creators and administrators about the risks of draft content exposure and encourage minimizing sensitive information in draft titles. 7. Use security plugins that can enforce stricter content visibility policies and monitor for anomalous access patterns. 8. Maintain comprehensive logging and monitoring to detect potential exploitation attempts early.