Volerion logoVolerion
Volerion logoVolerion

ThemeREX Addons WordPress Plugin Local File Inclusion Vulnerability

Vulnerability

A local file inclusion vulnerability has been identified in the ThemeREX Addons plugin for WordPress, affecting all versions through 2.33.0. The vulnerability arises in the 'trx_sc_reviews' shortcode, specifically through the 'type' attribute. This issue allows authenticated attackers with contributor-level or higher permissions to include and execute arbitrary files on the server. Exploitation of this vulnerability could lead to the execution of PHP code contained in the included files, potentially bypassing access controls, accessing sensitive data, or executing code in scenarios where PHP files can be uploaded and included.

Impact

Exploitation of this vulnerability could allow for unauthorized file inclusion, execution of arbitrary PHP code on the server, and potential bypass of access controls, access to sensitive information, or execution of uploaded PHP files.

Remediation

Users are advised to update the ThemeREX Addons plugin to version 2.34.0 or a newer patched version.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
10.0
exploitability
4.0
remediation
7.7
relevance
0.0
threat
0.0
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.