CVE-2026-1969
published 2026-03-23CVE-2026-1969: The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload…
PriorityP279medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
ITWVulnCheck KEV
Exploited in the wild
EPSS
0.20%
9.8th percentile
The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Jenkins GitHub Branch Source Plugin: Missing permissions check allows attackers to perform a connection test
ghsa·2026-04-29
CVE-2026-42522 [MEDIUM] CWE-862 Jenkins GitHub Branch Source Plugin: Missing permissions check allows attackers to perform a connection test
Jenkins GitHub Branch Source Plugin: Missing permissions check allows attackers to perform a connection test
Jenkins GitHub Branch Source Plugin versions 1967.vdea_d580c1a_b_a_ and earlier do not perform a permission check in a method implementing form validation.
This allows attackers with Overall/Read permission to connect to an attacker-specified URL with attacker-specified GitHub App credentials.
GitHub Branch Source Plugin 1967.1969.v205fd594c821 requires Overall/Manage permission to perform the connection test.
GHSA
GHSA-qxq6-27j9-fv97: The trx_addons WordPress plugin before 2
ghsa_unreviewed·2026-03-23·CVSS 9.8
CVE-2026-1969 [CRITICAL] CWE-434 GHSA-qxq6-27j9-fv97: The trx_addons WordPress plugin before 2
The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448
VulnCheck
Unrestricted Upload of File with Dangerous Type
vulncheck·2026·CVSS 9.8
CVE-2026-1969 [CRITICAL] Unrestricted Upload of File with Dangerous Type
Unrestricted Upload of File with Dangerous Type
The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://patchstack.com/database/wordpress/plugin/trx_addons/vulnerability/wordpress-themerex-addons-plugin-2-38-5-unauthenticated-arbitrary-file-upload-vulnerability
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-1969 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1969 [CRITICAL] CVE-2026-1969 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1969 :
WordPress vulnerability analysis and mitigation
The trx_addons WordPress plugin before 2.38.5 does not correctly validate file types in one of its AJAX action, allowing unauthenticated users to upload arbitrary file. This is due to an incorrect fix of CVE-2024-13448
Source : NVD
## 5.3
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
WordPress
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
trx_addons
Sources
NVD
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
#
Bugzilla
CVE-2026-57285 Jenkins GitHub Branch Source Plugin: Jenkins GitHub Branch Source Plugin: Information disclosure via missing permission check
bugzilla·2026-06-24·CVSS 4.3
CVE-2026-57285 [MEDIUM] CVE-2026-57285 Jenkins GitHub Branch Source Plugin: Jenkins GitHub Branch Source Plugin: Information disclosure via missing permission check
CVE-2026-57285 Jenkins GitHub Branch Source Plugin: Jenkins GitHub Branch Source Plugin: Information disclosure via missing permission check
A missing permission check in Jenkins GitHub Branch Source Plugin 1967.1969.v205fd594c821 and earlier allows attackers with Overall/Read permission to obtain the URLs of GitHub Enterprise servers configured in the global plugin configuration.
2026-03-23
Published
Exploited in the wild