CVE-2025-0682 in ThemeREX Addons Plugin
Summary
by MITRE • 01/25/2025
The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/08/2025
The vulnerability identified as CVE-2025-0682 affects the ThemeREX Addons plugin for WordPress, specifically targeting versions up to and including 2.33.0. This represents a critical security flaw that stems from improper input validation within the plugin's shortcode implementation. The vulnerability manifests through the 'trx_sc_reviews' shortcode where the 'type' attribute fails to properly sanitize user-supplied input, creating an exploitable path for local file inclusion attacks. Security researchers have identified this issue as a direct consequence of inadequate parameter validation that allows malicious actors to manipulate the file inclusion mechanism within the plugin's codebase.
The technical exploitation of this vulnerability occurs when authenticated users with contributor-level permissions or higher attempt to manipulate the 'type' attribute parameter within the 'trx_sc_reviews' shortcode. This flaw enables attackers to specify arbitrary file paths that the plugin then attempts to include and execute on the server. The vulnerability is classified under CWE-22 as it involves improper limitation of a pathname to a restricted directory, allowing access to files outside of the intended scope. The attack vector leverages the principle of insufficient input validation, where the plugin fails to properly validate or sanitize the 'type' attribute before using it in file inclusion operations. This weakness creates a direct path for code execution as PHP code within the targeted files gets processed and executed on the web server, potentially leading to complete system compromise.
The operational impact of this vulnerability extends beyond simple code execution capabilities, as it provides attackers with the means to bypass existing access controls and obtain sensitive data from the affected WordPress installation. An authenticated attacker with contributor privileges can leverage this vulnerability to execute arbitrary PHP code, potentially escalating their privileges or accessing restricted areas of the system. The implications are particularly severe because the vulnerability affects a widely used WordPress plugin, meaning that numerous websites could be exposed to this attack vector. Additionally, the vulnerability's exploitation can result in data exfiltration, system compromise, and potential lateral movement within network environments where WordPress installations are deployed. The ability to include and execute files also enables attackers to establish persistent backdoors or deploy additional malicious payloads, making this vulnerability particularly dangerous in production environments.
Mitigation strategies for CVE-2025-0682 should prioritize immediate patching of the ThemeREX Addons plugin to version 2.33.1 or later, which contains the necessary security fixes. Organizations should implement strict input validation measures and consider restricting contributor-level user permissions where possible, limiting the attack surface for authenticated users. Network monitoring solutions should be configured to detect unusual file inclusion patterns and anomalous PHP execution behaviors that may indicate exploitation attempts. Security teams should also implement proper file access controls and ensure that the web server operates with minimal required privileges to limit the potential impact of successful exploitation. The vulnerability's classification under the ATT&CK framework would place it within the privilege escalation and execution categories, emphasizing the need for comprehensive security controls. Regular security audits and vulnerability assessments should be conducted to identify similar issues in other plugins and themes, while maintaining up-to-date security patches across all WordPress components to prevent similar vulnerabilities from being exploited in the future.