CVE-2026-1969
ThemeREX Addons < 2.38.5 - Unauthenticated Arbitrary File Upload
Description
The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448
In plain language
AI Act nowIf you run the trx_addons WordPress plugin, older versions (before 2.38.5) can be abused by outsiders to upload harmful files without logging in—this is the kind of weakness attackers are actively scanning for, so you should update.
CVE-2026-1969 is an unauthenticated arbitrary file upload in the trx_addons WordPress plugin (versions before 2.38.5) caused by improper file type validation in an AJAX action, enabling attackers to upload files such as webshells.
What to do now
- Check whether your website uses the trx_addons WordPress plugin and note its exact version number.
- If the version is earlier than 2.38.5, upgrade trx_addons to 2.38.5.
- If you cannot upgrade right away, temporarily disable the trx_addons plugin and remove/clean any suspicious files in the WordPress plugin/theme upload areas until it’s patched.
- After updating, review WordPress access logs and server logs for unusual POST/AJAX requests to the trx_addons endpoints and for any newly created files uploaded around the time of alerts.
npm install trx_addons@2.38.5CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:NConfidentialityI:LIntegrityA:NAvailabilityWeaknesses
Exploitability
Attack Graph
Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/⌘ + scroll to zoom, or go fullscreen.
MITRE ATT&CK
3 techniquesReferences
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2026-1969 and every CVE in our database. Create a free account — no credit card required.
Create Free Account