Vulnerability Details CVE-2020-10257
The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.013
EPSS Ranking 79.2%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
Products affected by CVE-2020-10257
-
_buddhist:-
-
_building_&_construction_wordpress_theme:-
-
_cafe_&_child_care_center:-
-
_gym
-
_news
-
_rent_a_bike
-
_rent_a_scooter_multiskin_theme:-
-
_store:-
-
cpe:2.3:a:themerex:addons:1.0.49.10
-
cpe:2.3:a:themerex:addons:1.6.49.5
-
cpe:2.3:a:themerex:addons:1.6.49.6
-
cpe:2.3:a:themerex:addons:1.6.49.6.2
-
cpe:2.3:a:themerex:addons:1.6.49.8
-
cpe:2.3:a:themerex:addons:1.6.50
-
cpe:2.3:a:themerex:addons:1.6.50.1
-
cpe:2.3:a:themerex:addons:1.6.51.1
-
cpe:2.3:a:themerex:addons:1.6.51.3
-
cpe:2.3:a:themerex:addons:1.6.52.1
-
cpe:2.3:a:themerex:addons:1.6.52.2
-
cpe:2.3:a:themerex:addons:1.6.53
-
cpe:2.3:a:themerex:addons:1.6.53.1
-
cpe:2.3:a:themerex:addons:1.6.53.2
-
cpe:2.3:a:themerex:addons:1.6.53.3
-
cpe:2.3:a:themerex:addons:1.6.54
-
cpe:2.3:a:themerex:addons:1.6.55.1
-
cpe:2.3:a:themerex:addons:1.6.55.3
-
cpe:2.3:a:themerex:addons:1.6.55.4
-
cpe:2.3:a:themerex:addons:1.6.55.7
-
cpe:2.3:a:themerex:addons:1.6.56
-
cpe:2.3:a:themerex:addons:1.6.57
-
cpe:2.3:a:themerex:addons:1.6.57.2
-
cpe:2.3:a:themerex:addons:1.6.57.3
-
cpe:2.3:a:themerex:addons:1.6.57.4
-
cpe:2.3:a:themerex:addons:1.6.58.2
-
cpe:2.3:a:themerex:addons:1.6.59
-
cpe:2.3:a:themerex:addons:1.6.59.1.1
-
cpe:2.3:a:themerex:addons:1.6.59.2
-
cpe:2.3:a:themerex:addons:1.6.59.3
-
cpe:2.3:a:themerex:addons:1.6.60
-
cpe:2.3:a:themerex:addons:1.6.61
-
cpe:2.3:a:themerex:addons:1.6.61.1
-
cpe:2.3:a:themerex:addons:1.6.61.2
-
cpe:2.3:a:themerex:addons:1.6.61.3
-
cpe:2.3:a:themerex:addons:1.6.62.1
-
cpe:2.3:a:themerex:addons:1.6.62.3
-
cpe:2.3:a:themerex:addons:1.6.65
-
cpe:2.3:a:themerex:addons:1.6.66
-
cpe:2.3:a:themerex:addons:1.6.67
-
cpe:2.3:a:themerex:addons:1.70.3
-
cpe:2.3:a:themerex:aldo-gutenberg_wordpress_blog_theme:-
-
cpe:2.3:a:themerex:amuli:-
-
cpe:2.3:a:themerex:blabber:-
-
cpe:2.3:a:themerex:bonkozoo_zoo:-
-
cpe:2.3:a:themerex:briny-diving_wordpress_theme:-
-
cpe:2.3:a:themerex:bugster-pests_control:-
-
cpe:2.3:a:themerex:buzz_stone-magazine_&_blog:-
-
cpe:2.3:a:themerex:chainpress:-
-
cpe:2.3:a:themerex:chit_club-board_games:-
-
cpe:2.3:a:themerex:coinpress-cryptocurrency_magazine_&_blog_wordpress_theme:-
-
cpe:2.3:a:themerex:corredo_sport_event:-
-
cpe:2.3:a:themerex:dronex-aerial_photography_services:-
-
cpe:2.3:a:themerex:especio-food_gutenberg_theme:-
-
cpe:2.3:a:themerex:fc_united-football:-
-
cpe:2.3:a:themerex:gloss_blog:-
-
cpe:2.3:a:themerex:gridiron:-
-
cpe:2.3:a:themerex:hallelujah-church:-
-
cpe:2.3:a:themerex:heaven_11-multiskin_property_theme:-
-
cpe:2.3:a:themerex:helion-agency_&portfolio:-
-
cpe:2.3:a:themerex:hobo_digital_nomad_blog:-
-
cpe:2.3:a:themerex:impacto_patronus_multi-landing:-
-
cpe:2.3:a:themerex:justitia-multiskin_lawyer_theme:-
-
cpe:2.3:a:themerex:kargo-freight_transport:-
-
cpe:2.3:a:themerex:katelyn-gutenberg_wordpress_blog_theme:-
-
cpe:2.3:a:themerex:kids_care:-
-
cpe:2.3:a:themerex:kratz-digital_agency:-
-
cpe:2.3:a:themerex:lingvico-language_learning_school:-
-
cpe:2.3:a:themerex:maxify-startup_blog:-
-
cpe:2.3:a:themerex:meals_and_wheels-food_truck:-
-
cpe:2.3:a:themerex:modern_housewife-housewife_and_family_blog:-
-
cpe:2.3:a:themerex:mystik-esoterics:-
-
cpe:2.3:a:themerex:nazareth-church:-
-
cpe:2.3:a:themerex:nelson-barbershop_+_tattoo_salon:-
-
cpe:2.3:a:themerex:netmix-broadband_&_telecom:-
-
cpe:2.3:a:themerex:ozeum-museum:-
-
cpe:2.3:a:themerex:partiso_electioncampaign:-
-
cpe:2.3:a:themerex:piqes-creative_startup_&_agency_wordpress_theme:-
-
cpe:2.3:a:themerex:pixefy:-
-
cpe:2.3:a:themerex:plumbing-repair
-
cpe:2.3:a:themerex:prider-pride_fest:-
-
cpe:2.3:a:themerex:rare_radio:-
-
cpe:2.3:a:themerex:renewal-plastic_surgeon_clinic:-
-
cpe:2.3:a:themerex:rhodos-creative_corporate_wordpress_theme:-
-
cpe:2.3:a:themerex:right_way:-
-
cpe:2.3:a:themerex:rosalinda-vegetarian_&_health_coach:-
-
cpe:2.3:a:themerex:rumble-single_fighter_boxer
-
cpe:2.3:a:themerex:samadhi-buddhist:-
-
cpe:2.3:a:themerex:savejulia_personal_fundraising_campaign:-
-
cpe:2.3:a:themerex:scientia-public_library:-
-
cpe:2.3:a:themerex:skydiving_and_flying_company:-
-
cpe:2.3:a:themerex:tacticool-shooting_range_wordpress_theme:-
-
cpe:2.3:a:themerex:tantum-rent_a_car
-
cpe:2.3:a:themerex:tediss-soft_play_area
-
cpe:2.3:a:themerex:topper_theme_and_skins:-
-
cpe:2.3:a:themerex:tornados:-
-
cpe:2.3:a:themerex:vapester:-
-
cpe:2.3:a:themerex:vihara-ashram
-
cpe:2.3:a:themerex:vixus-startup_/_mobile_application:-
-
cpe:2.3:a:themerex:wellspring_water_filter_systems:-
-
cpe:2.3:a:themerex:yolox-startup_magazine_&_blog_wordpress_theme:-
-
cpe:2.3:a:themerex:yottis-simple_portfolio:-
-
cpe:2.3:a:themerex:yungen-digital/marketing_agency:-