CVE-2020-10257
CRITICAL EPSS 94.6%
Published Mar 10, 20206y ago · Modified Jun 17, 20262w ago
9.8 CVSS 3.1
Published Mar 10, 2020 6y ago
Last Modified Jun 17, 2026 2w ago
Description
The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
94.6% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available
Weaknesses 2
CWE-862 Missing Authorization Authorization
CWE-94 Improper Control of Generation of Code (Code Injection) Injection
Affected Products 124
| Vendor | Product | Version | Range |
|---|---|---|---|
| themerex | addons | 1.70.3 | any |
| themerex | ozeum-museum | * | <1.0.2 |
| themerex | addons | 1.70.3 | any |
| themerex | chit_club-board_games | * | <1.0.1 |
| themerex | addons | 1.6.67 | any |
| themerex | yottis-simple_portfolio | * | <1.0.1 |
| themerex | addons | 1.6.66 | any |
| themerex | helion-agency_\&portfolio | * | <1.0.3 |
| themerex | addons | 1.6.66 | any |
| themerex | amuli | * | <1.0.2 |
| themerex | addons | 1.6.65 | any |
| themerex | nelson-barbershop_\+_tattoo_salon | * | <1.0.1.2001 |
| themerex | addons | 1.6.65 | any |
| themerex | hallelujah-church | * | <1.0.1 |
| themerex | addons | 1.6.65 | any |
| themerex | right_way | * | <4.0.1 |
| themerex | addons | 1.6.65 | any |
| themerex | prider-pride_fest | * | <1.0.2 |
| themerex | addons | 1.6.62.3 | any |
| themerex | mystik-esoterics | * | <1.0.1 |
| themerex | addons | 1.6.62.3 | any |
| themerex | skydiving_and_flying_company | * | <1.0.1 |
| themerex | addons | 1.6.62.1 | any |
| themerex | dronex-aerial_photography_services | * | <1.1.2001 |
| themerex | addons | 1.6.61.2 | any |
| themerex | samadhi-buddhist | * | <1.0.1 |
| themerex | addons | 1.6.61.3 | any |
| themerex | tantum-rent_a_car\,_rent_a_bike\,_rent_a_scooter_multiskin_theme | * | <1.0.2 |
| themerex | addons | 1.6.61.2 | any |
| themerex | scientia-public_library | * | <1.0.1 |
| themerex | addons | 1.6.61.2 | any |
| themerex | blabber | * | <1.5.2009 |
| themerex | addons | 1.6.61.1 | any |
| themerex | impacto_patronus_multi-landing | * | <1.1.2001 |
| themerex | addons | 1.6.61 | any |
| themerex | rare_radio | * | <1.0.1 |
| themerex | addons | 1.6.60 | any |
| themerex | piqes-creative_startup_\&_agency_wordpress_theme | * | <1.0.1 |
| themerex | addons | 1.6.59.3 | any |
| themerex | kratz-digital_agency | * | <1.0.2 |
| themerex | addons | 1.6.59.2 | any |
| themerex | pixefy | * | <1.0.1 |
| themerex | addons | 1.6.59.1.1 | any |
| themerex | netmix-broadband_\&_telecom | * | <1.0.2 |
| themerex | addons | 1.6.59 | any |
| themerex | kids_care | * | <3.0.5 |
| themerex | addons | 1.6.58.2 | any |
| themerex | briny-diving_wordpress_theme | * | <1.2.2000 |
| themerex | addons | 1.6.57.3 | any |
| themerex | tornados | * | <1.1.2001 |
| themerex | addons | 1.6.57.4 | any |
| themerex | gridiron | * | <1.0.2 |
| themerex | addons | 1.6.57.2 | any |
| themerex | yungen-digital\/marketing_agency | * | <1.0.1 |
| themerex | addons | 1.6.57.3 | any |
| themerex | fc_united-football | * | <1.0.7 |
| themerex | addons | 1.6.57.2 | any |
| themerex | bugster-pests_control | * | <1.0.2 |
| themerex | addons | 1.6.57 | any |
| themerex | rumble-single_fighter_boxer\,_news\,_gym\,_store | * | <1.0.4 |
| themerex | addons | 1.6.56 | any |
| themerex | tacticool-shooting_range_wordpress_theme | * | <1.0.1 |
| themerex | addons | 1.6.55.4 | any |
| themerex | coinpress-cryptocurrency_magazine_\&_blog_wordpress_theme | * | <1.0.2 |
| themerex | addons | 1.6.55.7 | any |
| themerex | vihara-ashram\,_buddhist | * | <1.1.2001 |
| themerex | addons | 1.6.55.3 | any |
| themerex | katelyn-gutenberg_wordpress_blog_theme | * | <1.0.4 |
| themerex | addons | 1.6.55.1 | any |
| themerex | heaven_11-multiskin_property_theme | * | <1.0.2 |
| themerex | addons | 1.6.54 | any |
| themerex | especio-food_gutenberg_theme | * | <1.0.1 |
| themerex | addons | 1.6.53.1 | any |
| themerex | partiso_electioncampaign | * | <1.1.2002 |
| themerex | addons | 1.6.53.3 | any |
| themerex | kargo-freight_transport | * | <1.1.2004 |
| themerex | addons | 1.6.53.2 | any |
| themerex | maxify-startup_blog | * | <1.0.4 |
| themerex | addons | 1.6.53.1 | any |
| themerex | lingvico-language_learning_school | * | <1.0.3 |
| themerex | addons | 1.6.53.2 | any |
| themerex | aldo-gutenberg_wordpress_blog_theme | * | <1.0.2 |
| themerex | addons | 1.6.52.2 | any |
| themerex | vixus-startup_\/_mobile_application | * | <1.0.4 |
| themerex | addons | 1.6.52.1 | any |
| themerex | wellspring_water_filter_systems | * | <1.0.3 |
| themerex | addons | 1.6.52.1 | any |
| themerex | nazareth-church | * | <1.0.5 |
| themerex | addons | 1.6.53 | any |
| themerex | tediss-soft_play_area\,_cafe_\&_child_care_center | * | <1.0.3 |
| themerex | addons | 1.6.51.3 | any |
| themerex | yolox-startup_magazine_\&_blog_wordpress_theme | * | <1.0.3 |
| themerex | addons | 1.6.51.3 | any |
| themerex | meals_and_wheels-food_truck | * | <1.0.3 |
| themerex | addons | 1.6.51.1 | any |
| themerex | rosalinda-vegetarian_\&_health_coach | * | <1.0.3 |
| themerex | addons | 1.6.50 | any |
| themerex | vapester | * | <1.1.2001 |
| themerex | addons | 1.6.50 | any |
| themerex | modern_housewife-housewife_and_family_blog | * | <1.0.2 |
| themerex | addons | 1.6.50.1 | any |
| themerex | chainpress | * | <1.0.3 |
| themerex | addons | 1.6.51.1 | any |
| themerex | justitia-multiskin_lawyer_theme | * | <1.0.3 |
| themerex | addons | 1.6.50 | any |
| themerex | hobo_digital_nomad_blog | * | <1.0.3 |
| themerex | addons | 1.6.50.1 | any |
| themerex | rhodos-creative_corporate_wordpress_theme | * | <1.3.2001 |
| themerex | addons | 1.6.50 | any |
| themerex | buzz_stone-magazine_\&_blog | * | <1.0.3 |
| themerex | addons | 1.0.49.10 | any |
| themerex | corredo_sport_event | * | <1.1.2003 |
| themerex | addons | 1.6.49.8 | any |
| themerex | savejulia_personal_fundraising_campaign | * | <1.0.3 |
| themerex | addons | 1.6.49.6 | any |
| themerex | bonkozoo_zoo | * | <1.0.3 |
| themerex | addons | 1.6.49.6.2 | any |
| themerex | renewal-plastic_surgeon_clinic | * | <1.0.3 |
| themerex | addons | 1.6.49.5 | any |
| themerex | gloss_blog | * | <1.0.1 |
| themerex | addons | 1.6.58.2 | any |
| themerex | plumbing-repair\,_building_\&_construction_wordpress_theme | * | <3.0.1 |
| themerex | addons | 1.6.61.2 | any |
| themerex | topper_theme_and_skins | * | any |
References 1
- wordfence.com https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.