CVE-2025-6997 is a stored Cross-Site Scripting (XSS) vulnerability affecting the ThemeREX Addons plugin for WordPress, specifically versions up to and including 2.35.1.1. The vulnerability arises from improper input sanitization and output escaping in the plugin's handling of SVG file uploads. The core issue lies in the function trx_addons_get_svg_from_file(), which processes an 'svg' parameter supplied via shortcode or Elementor widget settings without validating the URL's origin, scheme, or the SVG content itself. This parameter is then rendered using trx_addons_show_layout(), allowing an attacker with Contributor-level or higher privileges to supply a remote SVG containing malicious scripts. These scripts are stored and executed whenever any user accesses the affected page, leading to persistent XSS. The vulnerability requires authenticated access with at least Contributor privileges, does not require user interaction for exploitation once the malicious SVG is uploaded, and affects all versions of the plugin up to 2.35.1.1. The CVSS v3.1 score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impact on confidentiality and integrity but not availability. No known exploits in the wild have been reported yet, and no patches are currently linked, indicating that mitigation may require manual intervention or updates from the vendor. Stored XSS in WordPress plugins is particularly dangerous as it can lead to session hijacking, defacement, or further exploitation of site visitors and administrators.

For European organizations using WordPress sites with the ThemeREX Addons plugin, this vulnerability poses a significant risk to website integrity and user trust. Exploitation could allow attackers to execute arbitrary JavaScript in the context of the affected site, potentially stealing session cookies, redirecting users to malicious sites, or performing unauthorized actions on behalf of users. This can lead to data breaches, reputational damage, and compliance violations under regulations such as GDPR, especially if personal data is compromised. Since the vulnerability requires Contributor-level access, insider threats or compromised accounts could be leveraged to exploit this flaw. Additionally, many European businesses rely on WordPress for their online presence, including e-commerce, government portals, and media outlets, making this vulnerability a vector for broader cyberattacks or misinformation campaigns. The persistent nature of stored XSS means the malicious payload remains active until removed, increasing the window of exposure. The lack of a patch at the time of disclosure further elevates risk, necessitating immediate mitigation steps to prevent exploitation.

European organizations should immediately audit their WordPress installations to identify the presence and version of the ThemeREX Addons plugin. If found vulnerable (version 2.35.1.1 or earlier), restrict Contributor-level and higher privileges to trusted users only, implementing strict access controls and monitoring for suspicious activity. Disable or remove the plugin if it is not essential. For sites requiring the plugin, consider temporarily disabling SVG file uploads or shortcode/widget features that accept SVG parameters until a vendor patch is available. Implement Web Application Firewall (WAF) rules to detect and block suspicious SVG payloads or unusual shortcode usage patterns. Regularly review user-generated content for malicious SVGs and sanitize inputs where possible. Employ Content Security Policy (CSP) headers to restrict script execution sources, mitigating the impact of injected scripts. Finally, maintain up-to-date backups and monitor logs for signs of exploitation attempts. Engage with the vendor for patch timelines and apply updates promptly once released.