VulnCheck KEV: CVE-2024-13448

The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trxaddonsuploadssavedata' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the...

WordPress ThemeREX Addons plugin < 2.38.5 - Unauthenticated Arbitrary File Upload vulnerability

Unauthenticated Arbitrary File Upload vulnerability discovered by Erwan LR WPScan in WordPress Plugin ThemeREX Addons versions 2.38.5...

CVE-2026-1969 ThemeREX Addons < 2.38.5 - Unauthenticated Arbitrary File Upload

The trxaddons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448...

CVE-2026-1969 ThemeREX Addons < 2.38.5 - Unauthenticated Arbitrary File Upload

The trxaddons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448...

CVE-2026-1969

CVE-2026-1969 affects the WordPress plugin trx_addons prior to version 2.38.5. The issue is improper validation of file types in an AJAX action, enabling unauthenticated uploads of arbitrary files. Root cause noted as an incorrect fix of CVE-2024-13448. Some sources confirm the vulnerable version...

CVE-2020-10257

The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trxaddons/v2/get/sclayout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trxaddonsrestgetsclayout with an unsafe sc parameter...

EUVD-2020-2712

Malware in sbrugna...

EUVD-2024-51607

Malicious code in bioql PyPI...

EUVD-2025-1814

Malicious code in bioql PyPI...

CVE-2025-6997

The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin’s SVG rendering routine calls the trxaddonsgetsvgfromfile function on an...

CVE-2025-6997

The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin’s SVG rendering routine calls the trxaddonsgetsvgfromfile function on an...

CVE-2025-6997 ThemeREX Addons <= 2.35.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trx_addons_get_svg_from_file Function

The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin’s SVG rendering routine calls the trxaddonsgetsvgfromfile function on an...

CVE-2025-6997

CVE-2025-6997 : ThemeREX Addons for WordPress is vulnerable to a stored cross-site scripting (XSS) via SVG uploads in versions

PT-2025-30121 · WordPress · Themerex Addons

Name of the Vulnerable Software and Affected Versions: ThemeREX Addons versions prior to 2.35.1.2 Description: The ThemeREX Addons plugin for WordPress is susceptible to Stored Cross-Site Scripting through SVG File uploads. Insufficient input sanitization and output escaping in the plugin’s SVG...

CVE-2025-0682

The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trxscreviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute...

CVE-2024-13448

The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trxaddonsuploadssavedata' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the...

WordPress ThemeREX Addons plugin <= 2.32.3 - Unauthenticated Arbitrary File Upload in trx_addons_uploads_save_data vulnerability

Unauthenticated Arbitrary File Upload in trxaddonsuploadssavedata vulnerability discovered by Tonn in WordPress Plugin ThemeREX Addons versions = 2.32.3...

CVE-2024-13448

The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trxaddonsuploadssavedata' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the...

CVE-2024-13448 ThemeREX Addons <= 2.32.3 - Unauthenticated Arbitrary File Upload in trx_addons_uploads_save_data

The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trxaddonsuploadssavedata' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary files on the...

CVE-2024-13448

CVE-2024-13448 affects the WordPress ThemeREX Addons plugin (versions up to and including 2.32.3). The vulnerability arises from missing file type validation in trx_addons_uploads_save_data, allowing unauthenticated attackers to upload arbitrary files to the server, with the potential for remote ...