CVE-2026-1969 PUBLISHED

ThemeREX Addons < 2.38.5 - Unauthenticated Arbitrary File Upload

Assigner: WPScan
Reserved: 05.02.2026 Published: 23.03.2026 Updated: 23.03.2026

The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448

Product Status

Vendor	Unknown
Product	trx_addons
Versions	Default: unaffected affected from 0 to 2.38.5 (excl.)

Credits

Erwan LR (WPScan) finder
WPScan coordinator

References

https://wpscan.com/vulnerability/762530ae-80a5-4ff8-9725-6adab9498c33/

Problem Types

CWE-434 Unrestricted Upload of File with Dangerous Type CWE