CVE-2025-6997: 
WordPress vulnerability analysis and mitigation

The ThemeREX Addons plugin for WordPress contains a Stored Cross-Site Scripting vulnerability (CVE-2025-6997) discovered in July 2025. This vulnerability affects all versions up to and including 2.35.1.1. The issue exists in the plugin's SVG file upload functionality and impacts WordPress installations using the ThemeREX Addons plugin (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the plugin's SVG rendering routine. Specifically, the trxaddonsgetsvgfromfile() function processes an unvalidated 'svg' parameter supplied via shortcode or Elementor widget settings, which is then output through the trxaddonsshowlayout() function. The vulnerability has received a CVSS v3.1 Base Score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N (NVD).

Due to the lack of validation on URL origin, scheme, or SVG content, authenticated attackers with Contributor-level access or higher can supply remote SVG files containing malicious web scripts. These scripts will execute whenever a user accesses the affected pages, potentially compromising the security of the website and its users (NVD).

Website administrators should update the ThemeREX Addons plugin to a version newer than 2.35.1.1 once available. Until then, it is recommended to restrict SVG upload capabilities to trusted administrators only and implement additional validation for SVG file uploads (ThemeREX).