cbcvebase.
CVE-2020-10257
published 2020-03-10

CVE-2020-10257: The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.88%
94.6th percentile
The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.

Affected

102 ranges· showing 25
VendorProductVersion rangeFixed in
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons
themerexaddons

Detection & IOCsextracted from sources · hover to see the quote

url/wp-json/trx_addons/v2/get/sc_layout?sc=wp_insert_user&role=administrator&user_login={{username}}&user_pass={{password}}
pathincludes/plugin.rest-api.php
  • Look for unauthenticated GET requests to the REST API endpoint /wp-json/trx_addons/v2/get/sc_layout with a `sc` parameter containing PHP function names (e.g., wp_insert_user), especially with role=administrator.
  • A successful exploitation response returns HTTP 200 with a JSON body containing the key `{"data":`, followed by a POST to /wp-login.php resulting in a 302 redirect with a `wordpress_logged_in` cookie — indicating a newly created admin account.
  • Monitor for the presence of `trx_addons` in HTTP response bodies as a fingerprint for vulnerable ThemeREX Addons installations (Shodan/FOFA pivot).
  • The exploit requires no authentication; any unauthenticated HTTP request to the REST endpoint with an arbitrary `sc` parameter value can trigger PHP function execution.
  • ·The vulnerable code path is in includes/plugin.rest-api.php; the unsafe parameter is `sc`, which is passed directly to trx_addons_rest_get_sc_layout allowing arbitrary PHP function calls.
  • ·Affected versions are ThemeREX Addons before 2020-03-09 (e.g., 1.70.3); the fix was applied in the 2020-03-09 release.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.