CVE-2025-0682 is a Local File Inclusion vulnerability classified under CWE-98, found in the ThemeREX Addons plugin for WordPress, affecting all versions up to and including 2.33.0. The flaw exists in the handling of the 'type' attribute within the 'trx_sc_reviews' shortcode, where the plugin fails to properly validate or sanitize the filename input used in include or require PHP statements. This improper control allows authenticated users with contributor-level or higher permissions to manipulate the filename parameter to include arbitrary files from the server. If an attacker can upload PHP files (e.g., via other plugin vulnerabilities or misconfigurations), they can include and execute these files remotely, leading to full remote code execution on the web server. The vulnerability does not require user interaction but does require authentication with contributor or higher privileges, which are commonly granted in many WordPress sites for content creation. The CVSS 3.1 score of 8.8 indicates a high-severity issue with network attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. No public exploits are known at this time, but the potential for exploitation is significant given the widespread use of WordPress and ThemeREX Addons. The vulnerability enables attackers to bypass access controls, execute arbitrary PHP code, and potentially take over the affected website and underlying server infrastructure.

The impact of CVE-2025-0682 is severe for organizations using the ThemeREX Addons plugin on WordPress sites. Successful exploitation can lead to remote code execution, allowing attackers to execute arbitrary PHP code with the privileges of the web server user. This can result in full site compromise, data theft, defacement, installation of backdoors, or pivoting to internal networks. Confidential information stored or processed by the website can be exposed or altered, and availability can be disrupted by malicious actions such as deleting files or launching denial-of-service conditions. Since the vulnerability requires only contributor-level authentication, it lowers the barrier for exploitation in environments where contributors are common, increasing the risk. The widespread use of WordPress globally, including in e-commerce, government, and enterprise websites, amplifies the potential impact. Additionally, attackers could leverage this vulnerability to establish persistent access or use compromised servers as part of larger botnets or attack campaigns.

To mitigate CVE-2025-0682, organizations should immediately update the ThemeREX Addons plugin to a patched version once available. Until a patch is released, implement the following specific measures: 1) Restrict contributor and higher-level user permissions to trusted individuals only, minimizing the risk of malicious exploitation. 2) Disable or remove the 'trx_sc_reviews' shortcode or any functionality that uses the vulnerable 'type' attribute to prevent exploitation. 3) Harden file upload mechanisms across the WordPress site to prevent uploading of executable PHP files, including strict MIME type and extension checks, and disabling PHP execution in upload directories. 4) Employ Web Application Firewalls (WAFs) with custom rules to detect and block attempts to exploit the inclusion vulnerability. 5) Monitor server and application logs for unusual file inclusion attempts or suspicious activity related to shortcode usage. 6) Conduct regular security audits and vulnerability scans focusing on WordPress plugins and user permissions. 7) Implement least privilege principles for all WordPress roles and consider additional authentication controls such as multi-factor authentication for contributors and above.