Tag Archives: Wordpress vulnerability

Zero-Day Vulnerability in ThemeREX Addons WordPress Plugin

Description: Remote Code Execution
Affected Plugin:ThemeREX Addons
Plugin Slug: trx_addons
Affected Versions: Versions greater than 1.6.50
CVSS Score: 9.8 (Critical)
Patched Version: Currently No Patch.

Today, February 18th, our Threat Intelligence team was notified of a vulnerability present in ThemeREX Addons, a WordPress plugin installed on an estimated 44,000 sites. This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts.

At the time of writing, this vulnerability is being actively exploited, therefore we urge users to temporarily remove the ThemeREX Addons plugin if you are running a version greater than 1.6.50 until a patch has been released.