CVE-2025-0682: 
WordPress vulnerability analysis and mitigation

The ThemeREX Addons plugin for WordPress has been identified with a Local File Inclusion vulnerability (CVE-2025-0682), discovered and disclosed on January 24, 2025. This security flaw affects all versions up to and including 2.33.0. The vulnerability exists in the 'trx_sc_reviews' shortcode's 'type' attribute (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The technical nature of the flaw involves the improper handling of file inclusion mechanisms within the plugin's shortcode implementation (NVD).

The vulnerability allows authenticated attackers with contributor-level permissions or higher to include and execute arbitrary files on the server. This can lead to the execution of any PHP code contained within those files. The impact includes potential bypass of access controls, unauthorized access to sensitive data, and possible code execution when PHP files can be uploaded and included (NVD).