CVE-2026-1969
MEDIUM EXPLOITEDThemeREX Addons < 2.38.5 - Unauthenticated Arbitrary File Upload
Title source: cnaExploitation Summary
CVE-2026-1969 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448
References (1)
Core 1
Core References
Exploit exploit
vdb-entry
technical-description
https://wpscan.com/vulnerability/762530ae-80a5-4ff8-9725-6adab9498c33/
Scores
CVSS v3
5.3
EPSS
0.0020
EPSS Percentile
9.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
VulnCheck KEV
2026-04-30
CWE
CWE-434
Status
published
Products (1)
Unknown/trx_addons
< 2.38.5
Published
Mar 23, 2026
Tracked Since
Mar 23, 2026