{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-6997", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-01T22:08:38.522Z", "datePublished": "2025-07-19T08:24:22.251Z", "dateUpdated": "2026-04-08T17:28:59.504Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:59.504Z"}, "affected": [{"vendor": "ThemeREX", "product": "ThemeREX Addons", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.35.1.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin\u2019s SVG rendering routine calls the trx_addons_get_svg_from_file() function on an unvalidated 'svg' parameter supplied via the shortcode or Elementor widget settings, then outputs it via the trx_addons_show_layout() function. Because there is no check on the URL\u2019s origin, scheme, or the SVG content itself, authenticated attackers, with Contributor-level access and above, can supply a remote SVG and inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "title": "ThemeREX Addons <= 2.35.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trx_addons_get_svg_from_file Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1b19017-b2f0-4c3b-b263-1fbec6f1dce4?source=cve"}, {"url": "https://themerex.net/wp/download_plugins/themerex-addons/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "timeline": [{"time": "2025-07-18T19:52:51.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-21T17:58:14.309750Z", "id": "CVE-2025-6997", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-21T18:09:51.284Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-6997", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-21T17:58:14.309750Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-21T17:58:20.228Z"}}], "cna": {"title": "ThemeREX Addons <= 2.35.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via trx_addons_get_svg_from_file Function", "credits": [{"lang": "en", "type": "finder", "value": "Matthew Rollings"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "ThemeREX", "product": "ThemeREX Addons", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.35.1.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-18T19:52:51.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1b19017-b2f0-4c3b-b263-1fbec6f1dce4?source=cve"}, {"url": "https://themerex.net/wp/download_plugins/themerex-addons/"}], "descriptions": [{"lang": "en", "value": "The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin\u2019s SVG rendering routine calls the trx_addons_get_svg_from_file() function on an unvalidated 'svg' parameter supplied via the shortcode or Elementor widget settings, then outputs it via the trx_addons_show_layout() function. Because there is no check on the URL\u2019s origin, scheme, or the SVG content itself, authenticated attackers, with Contributor-level access and above, can supply a remote SVG and inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:28:59.504Z"}}}, "cveMetadata": {"cveId": "CVE-2025-6997", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:28:59.504Z", "dateReserved": "2025-07-01T22:08:38.522Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-07-19T08:24:22.251Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "6A35D065-3D17-46D6-AC1F-59E85F88470D", "versionEndExcluding": "2.35.2.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ThemeREX Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.35.1.1 due to insufficient input sanitization and output escaping. The plugin\u2019s SVG rendering routine calls the trx_addons_get_svg_from_file() function on an unvalidated 'svg' parameter supplied via the shortcode or Elementor widget settings, then outputs it via the trx_addons_show_layout() function. Because there is no check on the URL\u2019s origin, scheme, or the SVG content itself, authenticated attackers, with Contributor-level access and above, can supply a remote SVG and inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file."}, {"lang": "es", "value": "El complemento ThemeREX Addons para WordPress es vulnerable a Cross-Site Scripting (XSS) Almacenado al subir archivos SVG en todas las versiones hasta la 2.35.1.1 incluida, debido a una depuraci\u00f3n de entrada insuficiente y un escape de salida insuficiente. La rutina de renderizado SVG del complemento llama a la funci\u00f3n trx_addons_get_svg_from_file() con un par\u00e1metro 'svg' no validado, proporcionado mediante el shortcode o la configuraci\u00f3n del widget de Elementor, y luego lo genera mediante la funci\u00f3n trx_addons_show_layout(). Dado que no se verifica el origen, el esquema ni el contenido SVG de la URL, los atacantes autenticados con acceso de colaborador o superior pueden proporcionar un SVG remoto e inyectar scripts web arbitrarios en las p\u00e1ginas que se ejecutar\u00e1n al acceder al archivo SVG."}], "id": "CVE-2025-6997", "lastModified": "2025-08-11T19:13:21.383", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-07-19T09:15:23.477", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://themerex.net/wp/download_plugins/themerex-addons/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1b19017-b2f0-4c3b-b263-1fbec6f1dce4?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T20:13:24.591459+00:00", "value": {"mitigation_remediation": ["Upgrade ThemeREX Addons to the latest released version that resolves the SVG sanitization issue. If an upgrade is not immediately feasible, remove or downgrade the Contributor role for users who do not need it to reduce the attack surface. ", "Disable or remove the shortcode/widget that permits external SVG URLs, either by configuring the plugin settings to reject remote URLs or by using a security plugin that blocks remote file inclusion. ", "Ensure that WordPress\u2019s file\u2011upload permissions are tightly scoped so that only administrators can embed remote SVG files, and consider using an additional input\u2011validation plugin that sanitizes SVG content before rendering."], "summary": {"action": "Patch Now", "impact": "Stored cross\u2011site scripting that allows authenticated contributors to inject arbitrary JavaScript into pages rendered by the ThemeREX Addons plugin"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the ThemeREX Addons plugin with a version of 2.35.1.1 or earlier. The affected product is the ThemeREX Addons plugin distributed by ThemeREX for WordPress. No specific WordPress core version is required for the flaw to exist; any site that uses the vulnerable plugin version is at risk.", "description_and_impact": "The vulnerability resides in the ThemeREX Addons plugin\u2019s SVG rendering routine, where the trx_addons_get_svg_from_file() function accepts an unvalidated 'svg' parameter from shortcode or Elementor widget settings and outputs it through trx_addons_show_layout() without sanitizing the URL or its contents. Because no origin or scheme checks are performed, a contributor or higher user can supply a remote SVG containing malicious scripts. When a user views the affected page, the included JavaScript executes in that user\u2019s browser, potentially allowing an attacker to steal session cookies, deface content, or perform other client\u2011side attacks. The primary impact is arbitrary JavaScript execution in the context of the visiting user, which can lead to loss of confidentiality, integrity, and availability of the site\u2019s content.", "risk_and_exploitability": "The flaw has a CVSS score of 6.4, indicating a medium severity vulnerability. The EPSS score is reported as < 1%, suggesting low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attackers must first be authenticated with the Contributor role or higher, and then independently supply a crafted SVG file via the shortcode or Elementor widget. Once executed, the malicious script runs in the context of any user who views the page, creating a convenience vulnerability that does not require privilege escalation beyond a legitimate Contributor level.\n The risk is elevated for sites that grant Contributor access to many users, or that have a large and diverse user base that includes guests who will view the injected content.\n Overall, while exploitation likelihood is currently low, the impact warrants prompt mitigation."}}}}, "created": "2026-04-20T20:15:06.224730+00:00", "updated": "2026-04-20T20:15:06.224742+00:00", "vendors": []}