CVE-2025-6997 is a stored cross-site scripting vulnerability classified under CWE-79, found in the ThemeREX Addons plugin for WordPress. The vulnerability exists in all versions up to and including 2.35.1.1 due to inadequate sanitization and escaping of SVG files processed by the plugin. Specifically, the plugin’s SVG rendering routine invokes the trx_addons_get_svg_from_file() function on an unvalidated 'svg' parameter, which can be supplied via shortcode or Elementor widget settings. This parameter is not checked for URL origin, scheme, or SVG content safety, allowing authenticated users with Contributor-level permissions or higher to upload or reference remote SVG files containing malicious JavaScript. When these SVGs are rendered on a page, the malicious scripts execute in the context of any user viewing the page, enabling attacks such as session hijacking, privilege escalation, or unauthorized actions within the WordPress site. The vulnerability requires no user interaction beyond visiting the affected page but does require authenticated access to inject the payload. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and partial impact on confidentiality and integrity. No public exploits have been reported yet, but the vulnerability poses a significant risk given the widespread use of WordPress and ThemeREX Addons. The lack of patch links suggests a fix may not yet be available, emphasizing the need for immediate mitigation steps.

The primary impact of CVE-2025-6997 is the potential for stored cross-site scripting attacks that can compromise the confidentiality and integrity of WordPress sites using the ThemeREX Addons plugin. Attackers with Contributor-level access can inject malicious scripts that execute in the browsers of site visitors or administrators, potentially leading to session hijacking, theft of sensitive information, unauthorized content modification, or further exploitation of the site. This can damage organizational reputation, lead to data breaches, and facilitate lateral movement within the network. Since WordPress powers a significant portion of websites globally, including many business, government, and e-commerce sites, the vulnerability could affect a broad range of organizations. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with multiple contributors or less stringent access controls. The absence of known exploits in the wild currently reduces immediate risk but does not preclude future attacks once exploit code becomes available.

To mitigate CVE-2025-6997, organizations should take the following specific actions: 1) Immediately restrict Contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious SVG uploads. 2) Disable or restrict the use of SVG files in the ThemeREX Addons plugin, especially from untrusted or remote sources. 3) Implement strict input validation and sanitization on SVG files, including checking URL schemes, origins, and sanitizing SVG content to remove scripts or dangerous elements. 4) Monitor shortcode and Elementor widget usage for suspicious or unauthorized SVG parameters. 5) Apply web application firewall (WAF) rules to detect and block malicious SVG payloads or suspicious shortcode parameters. 6) Keep WordPress core, plugins, and themes updated, and monitor ThemeREX Addons plugin releases for patches addressing this vulnerability. 7) Conduct regular security audits and user access reviews to ensure least privilege principles are enforced. 8) Educate content contributors about the risks of uploading untrusted files and enforce content security policies where feasible. These targeted steps go beyond generic advice by focusing on the specific attack vector and plugin behavior.