Description
The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448
Published: 2026-03-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated arbitrary file upload that can lead to remote code execution
Action: Patch
AI Analysis

Impact

The WordPress plugin ThemeREX Addons (trx_addons) contains an AJAX endpoint that accepts file uploads without correctly validating the file type. An attacker can therefore upload any file, including executable scripts. If the file is executed on the server, the attacker gains the ability to run arbitrary code, modify site content, or compromise sensitive data. This flaw is a classic example of arbitrary file upload vulnerability (CWE‑434) and poses a moderate risk to confidentiality, integrity and availability.

Affected Systems

The vulnerability affects all installations of ThemeREX Addons that use a version older than 2.38.5. No other products or vendor versions are specifically identified in the advisory. Sites that have not yet updated the plugin are therefore exposed to this risk.

Risk and Exploitability

The CVSS v3.1 score of 5.3 reflects moderate severity, while the EPSS probability of less than 1% suggests a low likelihood of exploitation under current threat conditions. The flaw is not listed in the CISA KEV catalog. Attackers can trigger the vulnerability from any internet‑accessible location, as authentication is not required; they only need to construct a POST request to the vulnerable AJAX endpoint and supply a malicious file. Successful exploitation would allow the attacker to execute arbitrary code on the host.

Generated by OpenCVE AI on March 23, 2026 at 16:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the ThemeREX Addons plugin to version 2.38.5 or later
  • Verify that the plugin files have been replaced and no legacy vulnerable code remains
  • Monitor the vendor’s announcements for any additional security patches

Generated by OpenCVE AI on March 23, 2026 at 16:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Themerex
Themerex addons
Wordpress
Wordpress wordpress
Vendors & Products Themerex
Themerex addons
Wordpress
Wordpress wordpress

Mon, 23 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448
Title ThemeREX Addons < 2.38.5 - Unauthenticated Arbitrary File Upload
References

Subscriptions

Themerex Addons
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-03-23T13:25:48.548Z

Reserved: 2026-02-05T13:15:10.756Z

Link: CVE-2026-1969

cve-icon Vulnrichment

Updated: 2026-03-23T13:25:31.827Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-23T06:16:20.257

Modified: 2026-03-23T14:31:37.267

Link: CVE-2026-1969

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:49:38Z

Weaknesses