Description
The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
Published: 2025-01-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Local File Inclusion leading to arbitrary code execution
Action: Immediate Patch
AI Analysis

Impact

The plugin has a Local File Inclusion flaw in the trx_sc_reviews shortcode 'type' attribute that allows an authenticated user with contributor-level permission or higher to include arbitrary files, enabling execution of PHP code on the server. This can be used to bypass access controls, exfiltrate data, or gain full code execution if a PHP payload is uploaded and included.

Affected Systems

Affects ThemeREX Addons plugin for WordPress, versions 2.33.0 and below. WordPress sites that use these plugin versions are impacted.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, but the EPSS score is less than 1%, suggesting low current exploitation probability. The vulnerability is not listed in CISA KEV. Attack requires authenticated access at contributor level or above and the ability to supply a payload through the shortcode. If the attacker can upload a PHP file, they can include and execute arbitrary code.

Generated by OpenCVE AI on April 28, 2026 at 04:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ThemeREX Addons to version 2.34.0 or later, which removes the vulnerable shortcode handling.
  • If an upgrade is not immediately possible, restrict contributor and higher user roles from using the 'trx_sc_reviews' shortcode, or remove the shortcode entirely from the plugin.
  • As a temporary measure, disallow PHP file uploads or block access to PHP files via web server configuration, and monitor for malicious file inclusion activity.

Generated by OpenCVE AI on April 28, 2026 at 04:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-1814 The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
History

Fri, 08 Aug 2025 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex addons
CPEs cpe:2.3:a:themerex:addons:*:*:*:*:*:wordpress:*:*
Vendors & Products Themerex
Themerex addons

Wed, 12 Feb 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 25 Jan 2025 05:45:00 +0000

Type Values Removed Values Added
Description The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
Title ThemeREX Addons <= 2.33.0 - Authenticated (Contributor+) Local File Inclusion via Shortcode
Weaknesses CWE-98
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Themerex Addons
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:59.678Z

Reserved: 2025-01-23T17:22:10.767Z

Link: CVE-2025-0682

cve-icon Vulnrichment

Updated: 2025-02-12T20:36:41.024Z

cve-icon NVD

Status : Analyzed

Published: 2025-01-25T06:15:28.740

Modified: 2025-08-08T02:08:56.800

Link: CVE-2025-0682

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:15:16Z

Weaknesses
  • CWE-98

    Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')