CVE-2025-6997

Name of the Vulnerable Software and Affected Versions ThemeREX Addons versions prior to 2.35.1.2

Description The ThemeREX Addons plugin for WordPress is susceptible to Stored Cross-Site Scripting through SVG File uploads. Insufficient input sanitization and output escaping in the plugin’s SVG rendering routine allows authenticated attackers with Contributor-level access and above to inject arbitrary web scripts into pages when accessing SVG files. The trx addons get svg from file() function processes an unvalidated svg parameter, and the trx addons show layout() function outputs it without proper checks on the URL’s origin, scheme, or SVG content.

Recommendations Update ThemeREX Addons to version 2.35.1.2 or later.