Cyber Posture

CVE-2024-13448

Critical

Published: 28 January 2025

Published
28 January 2025
Modified
30 January 2025
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0302 86.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-13448 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Themerex Addons. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 13.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Flaw remediation requires patching the vulnerable ThemeREX Addons plugin up to version 2.32.3 to fix the missing file type validation in trx_addons_uploads_save_data.

SI-10 Information Input Validation good match
prevent

Information input validation enforces file type checking on uploads, directly addressing the unrestricted arbitrary file upload vulnerability.

SI-3 Malicious Code Protection partial match
preventdetect

Malicious code protection scans uploaded files for dangerous types and blocks execution, mitigating potential remote code execution from arbitrary uploads.

NVD Description

The ThemeREX Addons plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'trx_addons_uploads_save_data' function in all versions up to, and including, 2.32.3. This makes it possible for unauthenticated attackers to upload arbitrary…

more

files on the affected site's server which may make remote code execution possible.

Deeper analysisAI

CVE-2024-13448 is an arbitrary file upload vulnerability in the ThemeREX Addons plugin for WordPress, affecting all versions up to and including 2.32.3. The issue arises from missing file type validation in the 'trx_addons_uploads_save_data' function, classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for high-impact exploitation.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no privileges or user interaction required. By leveraging the flawed upload function, they can place arbitrary files on the affected WordPress site's server, which may enable remote code execution depending on the uploaded file type and server configuration.

Advisories provide further details on this vulnerability, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/7c1372bd-821d-439c-9b11-dfa5f08dd0dd?source=cve and the associated theme page on ThemeForest at https://themeforest.net/item/qwery-multipurpose-business-wordpress-theme/29678687. Security practitioners should consult these sources for recommended mitigations and patch information.

Details

CWE(s)
CWE-434

Affected Products

themerex
addons
≤ 2.34.0

CVEs Like This One

CVE-2025-0682Same product: Themerex Addons
CVE-2024-13770Same vendor: Themerex
CVE-2021-35485Shared CWE-434
CVE-2020-36942Shared CWE-434
CVE-2025-34299Shared CWE-434
CVE-2025-26411Shared CWE-434
CVE-2024-57169Shared CWE-434
CVE-2023-53933Shared CWE-434
CVE-2025-68909Shared CWE-434
CVE-2021-47757Shared CWE-434

References