CVE-2025-0682

Name of the Vulnerable Software and Affected Versions ThemeREX Addons plugin for WordPress versions up to and including 2.33.0

Description The issue arises from the trx sc reviews shortcode type attribute, allowing authenticated attackers with contributor-level or higher permissions to include and execute arbitrary files on the server. This can be used to bypass access controls, obtain sensitive data, or achieve code execution, particularly when PHP file types can be uploaded and included.

Recommendations For versions up to and including 2.33.0, consider disabling the trx sc reviews shortcode until a patch is available to prevent exploitation. Restrict access to the type attribute in the trx sc reviews shortcode to minimize the risk of arbitrary file inclusion. Avoid using the type attribute in the affected shortcode until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.