ThemeREX Addons
by WordPress
CVEs (5)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2020-10257 | 0.05 | — | 0.09 | Mar 9, 2020 | The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe… | |||
| CVE-2025-60205 | 0.00 | — | — | Jun 17, 2026 | Unauthenticated PHP Object Injection in ThemeREX Addons <= 2.36.1.1 versions. | |||
| CVE-2025-6997 | 0.00 | — | 0.00 | Jul 19, 2025 | The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin’s SVG rendering routine calls the… | |||
| CVE-2024-13448 | 0.00 | — | 0.01 | Jan 28, 2025 | The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload… | |||
| CVE-2025-0682 | 0.00 | — | 0.01 | Jan 25, 2025 | The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to… |
- CVE-2020-10257Mar 9, 2020risk 0.05cvss —epss 0.09
The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe…
- CVE-2025-60205Jun 17, 2026risk 0.00cvss —epss —
Unauthenticated PHP Object Injection in ThemeREX Addons <= 2.36.1.1 versions.
- CVE-2025-6997Jul 19, 2025risk 0.00cvss —epss 0.00
The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin’s SVG rendering routine calls the…
- CVE-2024-13448Jan 28, 2025risk 0.00cvss —epss 0.01
The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload…
- CVE-2025-0682Jan 25, 2025risk 0.00cvss —epss 0.01
The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to…