CVE-2020-10257
published 2020-03-10CVE-2020-10257: The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.88%
94.6th percentile
The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.
Affected
102 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
| themerex | addons | — | — |
Detection & IOCsextracted from sources · hover to see the quote
url/wp-json/trx_addons/v2/get/sc_layout?sc=wp_insert_user&role=administrator&user_login={{username}}&user_pass={{password}}↗
- →Look for unauthenticated GET requests to the REST API endpoint /wp-json/trx_addons/v2/get/sc_layout with a `sc` parameter containing PHP function names (e.g., wp_insert_user), especially with role=administrator. ↗
- →A successful exploitation response returns HTTP 200 with a JSON body containing the key `{"data":`, followed by a POST to /wp-login.php resulting in a 302 redirect with a `wordpress_logged_in` cookie — indicating a newly created admin account. ↗
- →Monitor for the presence of `trx_addons` in HTTP response bodies as a fingerprint for vulnerable ThemeREX Addons installations (Shodan/FOFA pivot). ↗
- →The exploit requires no authentication; any unauthenticated HTTP request to the REST endpoint with an arbitrary `sc` parameter value can trigger PHP function execution. ↗
- ·The vulnerable code path is in includes/plugin.rest-api.php; the unsafe parameter is `sc`, which is passed directly to trx_addons_rest_get_sc_layout allowing arbitrary PHP function calls. ↗
- ·Affected versions are ThemeREX Addons before 2020-03-09 (e.g., 1.70.3); the fix was applied in the 2020-03-09 release. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x679-h3r8-6399: The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PH
ghsa_unreviewed·2022-05-24
CVE-2020-10257 [HIGH] CWE-94 GHSA-x679-h3r8-6399: The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PH
The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.
VulnCheck
themerex addons Improper Control of Generation of Code ('Code Injection')
vulncheck·2020·CVSS 9.8
CVE-2020-10257 [CRITICAL] themerex addons Improper Control of Generation of Code ('Code Injection')
themerex addons Improper Control of Generation of Code ('Code Injection')
The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.
Affected: themerex addons
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/
No detection rules found.
Nuclei
ThemeREX Addons - Remote Code Execution
nuclei·CVSS 9.8
CVE-2020-10257 [CRITICAL] ThemeREX Addons - Remote Code Execution
ThemeREX Addons - Remote Code Execution
ThemeREX Addons plugin before 2020-03-09 for WordPress contains an access control vulnerability in the /trx_addons/v2/get/sc_layout REST API endpoint, allowing any users to execute PHP functions because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter, letting attackers execute arbitrary PHP functions, exploit requires no authentication.
Template:
id: CVE-2020-10257
info:
name: ThemeREX Addons - Remote Code Execution
author: theamanrawat
severity: critical
description: |
ThemeREX Addons plugin before 2020-03-09 for WordPress contains an access control vulnerability in the /trx_addons/v2/get/sc_layout REST API endpoint, allowing any users to execute PHP functions because includes/plugin.rest-api.php call
No writeups or analysis indexed.
2020-03-10
Published
Exploited in the wild