CVE-2025-6997 is a stored Cross-Site Scripting (XSS) vulnerability affecting the ThemeREX Addons plugin for WordPress, specifically in all versions up to and including 2.35.1.1. The vulnerability arises from improper input sanitization and output escaping in the plugin's handling of SVG file uploads. The plugin uses the function trx_addons_get_svg_from_file() to process an 'svg' parameter supplied via shortcode or Elementor widget settings without validating the URL's origin, scheme, or the SVG content itself. This unvalidated SVG content is then rendered through trx_addons_show_layout(), allowing an authenticated attacker with Contributor-level access or higher to supply a remote SVG containing malicious JavaScript. When any user accesses the page containing the injected SVG, the malicious script executes in their browser context. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), indicating a classic XSS flaw. The CVSS v3.1 base score is 6.4 (medium severity), reflecting network attack vector, low attack complexity, requiring privileges (Contributor or above), no user interaction, and a scope change with partial confidentiality and integrity impacts but no availability impact. No known exploits are reported in the wild yet. This vulnerability can lead to session hijacking, defacement, or further exploitation of user browsers visiting affected pages. The root cause is the lack of validation on SVG inputs and the direct rendering of potentially malicious SVG content, which can embed scripts that execute in the context of the WordPress site.

For European organizations using WordPress sites with the ThemeREX Addons plugin, this vulnerability poses a significant risk to website integrity and user trust. Attackers with Contributor-level access (which may be easier to obtain via phishing or compromised accounts) can inject malicious scripts that execute in the browsers of site visitors, potentially leading to credential theft, session hijacking, or distribution of malware. This can damage brand reputation, lead to data breaches involving user information, and cause regulatory compliance issues under GDPR due to unauthorized data exposure. Since the vulnerability allows scope change, it could also enable attackers to escalate privileges or pivot to other parts of the web infrastructure. The impact is particularly critical for organizations relying on their websites for customer interaction, e-commerce, or sensitive communications. Additionally, the stored nature of the XSS means the malicious payload persists and affects all visitors until remediated, increasing the attack surface. Given the widespread use of WordPress in Europe and the popularity of ThemeREX themes and addons, many SMEs and larger enterprises could be affected if they have not updated or mitigated this vulnerability.

1. Immediate update or patching: Organizations should monitor ThemeREX and WordPress plugin repositories for official patches addressing CVE-2025-6997 and apply them promptly once available. 2. Restrict Contributor-level access: Limit the number of users with Contributor or higher privileges to trusted personnel only, and enforce strong authentication mechanisms such as MFA to reduce the risk of account compromise. 3. Input validation and sanitization: Implement server-side validation to restrict SVG uploads to trusted sources or disallow remote SVG URLs entirely. Use security plugins or custom code to sanitize SVG content, removing scripts or potentially dangerous elements before rendering. 4. Content Security Policy (CSP): Deploy a strict CSP header to restrict script execution sources and mitigate the impact of injected scripts. 5. Monitor and audit: Regularly audit user uploads and shortcode/widget configurations for suspicious SVG URLs or content. Use web application firewalls (WAFs) with rules targeting SVG-based XSS attacks. 6. User awareness and training: Educate site administrators and content contributors about the risks of uploading untrusted SVG files and the importance of following security best practices. 7. Disable or limit shortcode/widget usage for SVGs if not essential, or replace with safer alternatives.