CVE-2025-0682
📋 TL;DR
The ThemeREX Addons WordPress plugin has a Local File Inclusion vulnerability that allows authenticated attackers with contributor-level permissions or higher to include and execute arbitrary PHP files on the server. This can lead to remote code execution, data theft, and access control bypass. All WordPress sites using ThemeREX Addons version 2.33.0 or earlier are affected.
💻 Affected Systems
- ThemeREX Addons WordPress Plugin
📦 What is this software?
Addons by Themerex
⚠️ Risk & Real-World Impact
Worst Case
Full server compromise via remote code execution, leading to data exfiltration, ransomware deployment, or complete site takeover.
Likely Case
Unauthorized file access leading to sensitive data exposure, privilege escalation, or backdoor installation.
If Mitigated
Limited impact if proper file upload restrictions and server hardening are in place, though some data exposure may still occur.
🎯 Exploit Status
Exploitation requires authenticated access and ability to upload PHP files or access existing PHP files on the server.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 2.33.1 or later
Vendor Advisory: https://themeforest.net/item/qwery-multipurpose-business-wordpress-theme/29678687
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find ThemeREX Addons and update to version 2.33.1 or later. 4. If auto-update fails, manually download and install the latest version from the vendor.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the 'trx_sc_reviews' shortcode functionality
Add to theme's functions.php: remove_shortcode('trx_sc_reviews');
Restrict file uploads
allPrevent PHP file uploads via WordPress media library and server configuration
Add to .htaccess: <Files *.php> deny from all </Files>
Configure wp-config.php to restrict uploads
🧯 If You Can't Patch
- Remove contributor and higher role permissions from untrusted users
- Implement web application firewall rules to block requests containing 'trx_sc_reviews' shortcode parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > ThemeREX Addons version. If version is 2.33.0 or earlier, you are vulnerable.Check Version:
wp plugin list --name=themerex-addons --field=versionVerify Fix Applied:
After updating, verify plugin version shows 2.33.1 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'trx_sc_reviews' shortcode with 'type' parameter
- Unusual file inclusion attempts in PHP error logs
- Multiple failed authentication attempts from single IP
Network Indicators:
- POST requests to wp-admin with shortcode parameters
- Unusual outbound connections from web server
SIEM Query:
source="web_logs" AND ("trx_sc_reviews" OR "type=" AND "themerex")