CVE-2025-0682

CVE-2025-0682, published on 2025-01-25, is a Local File Inclusion vulnerability (CWE-98) in the ThemeREX Addons plugin for WordPress, affecting all versions up to and including 2.33.0. The issue arises via the 'trx_sc_reviews' shortcode 'type' attribute, which fails to properly sanitize inputs, enabling the inclusion of arbitrary local files on the server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Authenticated attackers with contributor-level permissions or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By manipulating the 'type' attribute, they can include and execute arbitrary files, including PHP code, leading to server-side code execution. This allows bypassing access controls, extracting sensitive data, or achieving full remote code execution in scenarios where PHP files can be uploaded and subsequently included.

Mitigation details are outlined in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/15a9718f-f877-4e33-8f7a-950791c4ca85?source=cve and the Qwery theme page on ThemeForest at https://themeforest.net/item/qwery-multipurpose-business-wordpress-theme/29678687, which is associated with the ThemeREX Addons plugin. Security practitioners should review these sources for patch availability and update instructions specific to the affected plugin versions.