Security Alert Summary
The trx_addons WordPress plugin before 2.38.5 contains an issue in one of its AJAX actions that does not correctly validate file types, allowing unauthenticated users to upload arbitrary files. The vulnerability is described as an incorrect fix of a prior issue (CVE-2024-13448) and can allow attacker-supplied files to be stored on affected sites.
CVE Details
- CVE ID:
CVE-2026-1969 - Affected component: trx_addons WordPress plugin
- Affected versions: Versions before 2.38.5
- Published: March 23, 2026 at 6:16 AM UTC
- Last modified: March 23, 2026 at 2:31 PM UTC
- CVSS v3.1: Base Score 5.3, Severity MEDIUM, Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - Attack vector / complexity: Network / Low
- Authentication / privileges: No authentication required (unauthenticated)
- User interaction: None
- Primary impact: Confidentiality: None; Integrity: Low; Availability: None
- CWE / weakness: CWE-434 (Unrestricted Upload of File with Dangerous Type)
Technical Details
The plugin fails to correctly validate file types in one of its AJAX actions, which allows unauthenticated users to upload arbitrary files. The issue is noted as resulting from an incorrect fix of CVE-2024-13448. Because the flaw is in file type validation for an AJAX upload action, an attacker can supply and store files that the plugin should have rejected.
The CVE description does not name specific function names or REST endpoints; it refers generally to an AJAX action within the trx_addons plugin. The impact is limited according to the provided CVSS metrics: integrity impact is rated as low, and there is no confidentiality or availability impact indicated. In practice, uploaded files could be used to modify site content, host attacker-controlled resources, or facilitate further social engineering, but the information available does not indicate arbitrary code execution or broader data disclosure by itself.
How This Could Impact Your Website
Consider a typical site with a site owner, internal staff (editors or contributors), and external contractors who assist with content or design. An unauthenticated attacker could upload files that are then accessible on the site or used to display attacker-supplied content. Possible practical consequences include localized content modification or hosting of pages or files that support phishing or misleading messaging aimed at site visitors.
Because the CVSS confidentiality impact is listed as None, this issue does not by itself indicate disclosure of stored site data. However, the presence of attacker-supplied files increases the risk of targeted social engineering against staff or users and may harm visitor trust if malicious content is served from your domain.
If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributors.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins.
- Monitor site activity and uploads for unusual behavior or unexpected files.
If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
