EUVD-2025-210223Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Unauthenticated remote PHP object injection in a WordPress plugin endpoint enables full RCE via POP chains, justifying AV:N/AC:L/PR:N/UI:N and C/I/A:H.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Unauthenticated PHP Object Injection in ThemeREX Addons <= 2.36.1.1 versions.
Articles & Coverage 1
AnalysisAI
Unauthenticated PHP object injection in the ThemeREX Addons WordPress plugin (versions 2.36.1.1 and earlier) allows remote attackers to inject crafted serialized objects that are deserialized by the plugin, potentially leading to remote code execution, arbitrary file operations, or full site compromise when a suitable PHP gadget chain is present. The flaw is reachable without authentication and scores CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the CVE is not currently listed in CISA KEV.
Technical ContextAI
ThemeREX Addons (also tracked as trx_addons) is a widely deployed WordPress plugin that bundles helper shortcodes, widgets, and import utilities for ThemeREX commercial themes. The root cause is CWE-502 (Deserialization of Untrusted Data): the plugin invokes PHP's unserialize() on attacker-controlled input without first validating or constraining the allowed classes. When unserialize() rehydrates an object, PHP automatically invokes magic methods such as __wakeup(), __destruct(), or __toString(); if any class loaded in the WordPress runtime (core, another plugin, or a dependency) exposes a usable POP gadget chain through those magic methods, an attacker can pivot deserialization into file writes, arbitrary function calls, or remote code execution. The CPE cpe:2.3:a:themerex:themerex_addons:*:* confirms the entire ThemeREX Addons product line up to 2.36.1.1 is in scope.
RemediationAI
Upgrade ThemeREX Addons to a release later than 2.36.1.1 once the vendor publishes a fixed version; the input data does not name a specific patched version, so administrators should consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/trx_addons/vulnerability/wordpress-themerex-addons-plugin-2-35-3-php-object-injection-vulnerability) and the ThemeREX vendor site for the latest release. Until a patched version is installed, deactivate the ThemeREX Addons plugin (note: this will break any theme features that depend on it, including shortcodes, widgets, and demo importers), deploy a virtual patch via Patchstack or a WAF rule that blocks serialized PHP payloads (strings beginning with O:, a:, or s: in request parameters reaching trx_addons endpoints - be aware this can false-positive on legitimate admin traffic), and restrict access to wp-admin/admin-ajax.php and any plugin-exposed REST routes via IP allow-listing where feasible. Patch status: no vendor-released patch identified at time of analysis in the provided input.
More from same product – last 7 days
Stored cross-site scripting in the StarCitizenWiki EmbedVideo MediaWiki extension (versions <= 4.0.0) allows any user wi
Unrestricted PHP file upload in the MagicForm WordPress plugin (through version 0.1.3) enables unauthenticated remote co
Remote unauthenticated arbitrary file upload in JoomShaper SP Page Builder extension for Joomla (versions 1.0.0 through
Arbitrary PHP file upload in the iCagenda extension for Joomla enables remote unauthenticated attackers to abuse the eve
Unauthenticated PHP Object Injection in the ThemeREX Hot Coffee WordPress theme (versions ≤ 1.7) allows remote attackers
Share
External POC / Exploit Code
Leaving vuln.today