Cyber Resilience

CVE-2025-0682

High

Published: 25 January 2025

Published
25 January 2025
Modified
08 August 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0061 44.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-0682 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Themerex Addons. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-0682, published on 2025-01-25, is a Local File Inclusion vulnerability (CWE-98) in the ThemeREX Addons plugin for WordPress, affecting all versions up to and including 2.33.0. The issue arises via the 'trx_sc_reviews' shortcode 'type' attribute, which fails to properly sanitize inputs, enabling the inclusion of arbitrary local files on the server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

Authenticated attackers with contributor-level permissions or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By manipulating the 'type' attribute, they can include and execute arbitrary files, including PHP code, leading to server-side code execution. This allows bypassing access controls, extracting sensitive data, or achieving full remote code execution in scenarios where PHP files can be uploaded and subsequently included.

Mitigation details are outlined in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/15a9718f-f877-4e33-8f7a-950791c4ca85?source=cve and the Qwery theme page on ThemeForest at https://themeforest.net/item/qwery-multipurpose-business-wordpress-theme/29678687, which is associated with the ThemeREX Addons plugin. Security practitioners should review these sources for patch availability and update instructions specific to the affected plugin versions.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include…

more

and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

LFI in public-facing WordPress plugin directly enables remote exploitation (T1190); arbitrary PHP file inclusion facilitates web shell deployment/execution (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-13448Same product: Themerex Addons
CVE-2025-15368Shared CWE-98
CVE-2025-67936Shared CWE-98
CVE-2024-13770Same vendor: Themerex
CVE-2025-69068Shared CWE-98
CVE-2025-60126Shared CWE-98
CVE-2025-60049Shared CWE-98
CVE-2025-58943Shared CWE-98
CVE-2025-60063Shared CWE-98
CVE-2026-22372Shared CWE-98

Affected Assets

themerex
addons
≤ 2.34.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the Local File Inclusion by enforcing validation and sanitization of the 'trx_sc_reviews' shortcode 'type' attribute to prevent inclusion of arbitrary files.

prevent

Ensures timely identification, reporting, and patching of the vulnerable ThemeREX Addons plugin versions up to 2.33.0 to remediate the flaw.

prevent

Limits exploitation potential by enforcing least privilege, restricting contributor-level and higher access to only necessary permissions and reducing authenticated attack surface.

References