The ThemeREX Addons plugin for WordPress suffers from a stored cross-site scripting vulnerability due to improper neutralization of input during web page generation (CWE-79). The vulnerability exists in the SVG rendering routine where the function trx_addons_get_svg_from_file() processes an unvalidated 'svg' parameter from shortcode or Elementor widget settings. Because there is no validation of the SVG URL's origin, scheme, or content, an authenticated attacker with Contributor or higher privileges can inject malicious scripts via remote SVG files. These scripts execute in the context of users viewing the pages containing the SVG, potentially leading to session hijacking or other client-side attacks. The vulnerability affects all versions up to and including 2.35.1.1. No patch or official fix information is provided in the data.

An attacker with Contributor-level or higher access can upload or reference a malicious remote SVG file that contains executable scripts. These scripts are stored and rendered to users visiting the affected pages, enabling cross-site scripting attacks. The impact includes potential theft of user credentials, session tokens, or other malicious client-side actions. The vulnerability does not affect availability but impacts confidentiality and integrity of user sessions. The CVSS vector indicates network attack vector, low attack complexity, privileges required, no user interaction, and scope change.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Contributor-level access to trusted users only and consider disabling SVG file uploads or shortcode/widget features that accept SVG parameters. Monitor for updates from ThemeREX regarding patches or official mitigations. Avoid using untrusted SVG content in the plugin's shortcode or Elementor widgets.