CVE-2025-0682
Published: 25 January 2025
Summary
CVE-2025-0682 is a high-severity PHP Remote File Inclusion (CWE-98) vulnerability in Themerex Addons. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the Local File Inclusion by enforcing validation and sanitization of the 'trx_sc_reviews' shortcode 'type' attribute to prevent inclusion of arbitrary files.
Ensures timely identification, reporting, and patching of the vulnerable ThemeREX Addons plugin versions up to 2.33.0 to remediate the flaw.
Limits exploitation potential by enforcing least privilege, restricting contributor-level and higher access to only necessary permissions and reducing authenticated attack surface.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LFI in public-facing WordPress plugin directly enables remote exploitation (T1190); arbitrary PHP file inclusion facilitates web shell deployment/execution (T1100).
NVD Description
The ThemeREX Addons plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.33.0 via the 'trx_sc_reviews' shortcode 'type' attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include…
more
and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included.
Deeper analysisAI
CVE-2025-0682, published on 2025-01-25, is a Local File Inclusion vulnerability (CWE-98) in the ThemeREX Addons plugin for WordPress, affecting all versions up to and including 2.33.0. The issue arises via the 'trx_sc_reviews' shortcode 'type' attribute, which fails to properly sanitize inputs, enabling the inclusion of arbitrary local files on the server. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Authenticated attackers with contributor-level permissions or higher can exploit this vulnerability remotely with low complexity and no user interaction required. By manipulating the 'type' attribute, they can include and execute arbitrary files, including PHP code, leading to server-side code execution. This allows bypassing access controls, extracting sensitive data, or achieving full remote code execution in scenarios where PHP files can be uploaded and subsequently included.
Mitigation details are outlined in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/15a9718f-f877-4e33-8f7a-950791c4ca85?source=cve and the Qwery theme page on ThemeForest at https://themeforest.net/item/qwery-multipurpose-business-wordpress-theme/29678687, which is associated with the ThemeREX Addons plugin. Security practitioners should review these sources for patch availability and update instructions specific to the affected plugin versions.
Details
- CWE(s)