← Back

CVE-2020-10257

nvd nistnuclei
Published: Mar 10, 2020Modified: Nov 21, 2024

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.

Affected (103)

Products: Themerex: Ozeum Museum, Addons, Chit Club Board Games, Yottis Simple Portfolio, Helion Agency &portfolio, Amuli, Nelson Barbershop + Tattoo Salon, Hallelujah Church, Right Way, Prider Pride Fest, Mystik Esoterics, Skydiving And Flying Company, Dronex Aerial Photography Services, Samadhi Buddhist, Tantum Rent A Car, Rent A Bike, Rent A Scooter Multiskin Theme, Scientia Public Library, Blabber, Impacto Patronus Multi Landing, Rare Radio, Piqes Creative Startup & Agency Wordpress Theme, Kratz Digital Agency, Pixefy, Netmix Broadband & Telecom, Kids Care, Briny Diving Wordpress Theme, Tornados, Gridiron, Yungen Digital/marketing Agency, Fc United Football, Bugster Pests Control, Rumble Single Fighter Boxer, News, Gym, Store, Tacticool Shooting Range Wordpress Theme, Coinpress Cryptocurrency Magazine & Blog Wordpress Theme, Vihara Ashram, Buddhist, Katelyn Gutenberg Wordpress Blog Theme, Heaven 11 Multiskin Property Theme, Especio Food Gutenberg Theme, Partiso Electioncampaign, Kargo Freight Transport, Maxify Startup Blog, Lingvico Language Learning School, Aldo Gutenberg Wordpress Blog Theme, Vixus Startup / Mobile Application, Wellspring Water Filter Systems, Nazareth Church, Tediss Soft Play Area, Cafe & Child Care Center, Yolox Startup Magazine & Blog Wordpress Theme, Meals And Wheels Food Truck, Rosalinda Vegetarian & Health Coach, Vapester, Modern Housewife Housewife And Family Blog, Chainpress, Justitia Multiskin Lawyer Theme, Hobo Digital Nomad Blog, Rhodos Creative Corporate Wordpress Theme, Buzz Stone Magazine & Blog, Corredo Sport Event, Savejulia Personal Fundraising Campaign, Bonkozoo Zoo, Renewal Plastic Surgeon Clinic, Gloss Blog, Plumbing Repair, Building & Construction Wordpress Theme, Topper Theme And Skins
Themerex
63 products
Ozeum Museum
Addons
Chit Club Board Games
Yottis Simple Portfolio
Helion Agency &portfolio
Amuli
Nelson Barbershop + Tattoo Salon
Hallelujah Church
Right Way
Prider Pride Fest
Mystik Esoterics
Skydiving And Flying Company
Dronex Aerial Photography Services
Samadhi Buddhist
Tantum Rent A Car, Rent A Bike, Rent A Scooter Multiskin Theme
Scientia Public Library
Blabber
Impacto Patronus Multi Landing
Rare Radio
Piqes Creative Startup & Agency Wordpress Theme
Kratz Digital Agency
Pixefy
Netmix Broadband & Telecom
Kids Care
Briny Diving Wordpress Theme
Tornados
Gridiron
Yungen Digital/marketing Agency
Fc United Football
Bugster Pests Control
Rumble Single Fighter Boxer, News, Gym, Store
Tacticool Shooting Range Wordpress Theme
Coinpress Cryptocurrency Magazine & Blog Wordpress Theme
Vihara Ashram, Buddhist
Katelyn Gutenberg Wordpress Blog Theme
Heaven 11 Multiskin Property Theme
Especio Food Gutenberg Theme
Partiso Electioncampaign
Kargo Freight Transport
Maxify Startup Blog
Lingvico Language Learning School
Aldo Gutenberg Wordpress Blog Theme
Vixus Startup / Mobile Application
Wellspring Water Filter Systems
Nazareth Church
Tediss Soft Play Area, Cafe & Child Care Center
Yolox Startup Magazine & Blog Wordpress Theme
Meals And Wheels Food Truck
Rosalinda Vegetarian & Health Coach
Vapester
Modern Housewife Housewife And Family Blog
Chainpress
Justitia Multiskin Lawyer Theme
Hobo Digital Nomad Blog
Rhodos Creative Corporate Wordpress Theme
Buzz Stone Magazine & Blog
Corredo Sport Event
Savejulia Personal Fundraising Campaign
Bonkozoo Zoo
Renewal Plastic Surgeon Clinic
Gloss Blog
Plumbing Repair, Building & Construction Wordpress Theme
Topper Theme And Skins
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Ozeum Museum
Before 1.0.2
Configuration B
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.70.3
Chit Club Board Games
Before 1.0.1
Configuration C
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.67
Yottis Simple Portfolio
Before 1.0.1
Configuration D
1 vulnerable
Vulnerable SoftwareAffected Versions
Helion Agency &portfolio
Before 1.0.3
Configuration E
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.66
Amuli
Before 1.0.2
Configuration F
1 vulnerable
Vulnerable SoftwareAffected Versions
Nelson Barbershop + Tattoo Salon
Before 1.0.1.2001
Configuration G
1 vulnerable
Vulnerable SoftwareAffected Versions
Hallelujah Church
Before 1.0.1
Configuration H
1 vulnerable
Vulnerable SoftwareAffected Versions
Right Way
Before 4.0.1
Configuration I
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.65
Prider Pride Fest
Before 1.0.2
Configuration J
1 vulnerable
Vulnerable SoftwareAffected Versions
Mystik Esoterics
Before 1.0.1
Configuration K
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.62.3
Skydiving And Flying Company
Before 1.0.1
Configuration L
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.62.1
Dronex Aerial Photography Services
Before 1.1.2001
Configuration M
1 vulnerable
Vulnerable SoftwareAffected Versions
Samadhi Buddhist
Before 1.0.1
Configuration N
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.61.3
Tantum Rent A Car, Rent A Bike, Rent A Scooter Multiskin Theme
Before 1.0.2
Configuration O
1 vulnerable
Vulnerable SoftwareAffected Versions
Scientia Public Library
Before 1.0.1
Configuration P
1 vulnerable
Vulnerable SoftwareAffected Versions
Blabber
Before 1.5.2009
Configuration Q
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.61.1
Impacto Patronus Multi Landing
Before 1.1.2001
Configuration R
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.61
Rare Radio
Before 1.0.1
Configuration S
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.60
Piqes Creative Startup & Agency Wordpress Theme
Before 1.0.1
Configuration T
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.59.3
Kratz Digital Agency
Before 1.0.2
Configuration U
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.59.2
Pixefy
Before 1.0.1
Configuration V
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.59.1.1
Netmix Broadband & Telecom
Before 1.0.2
Configuration W
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.59
Kids Care
Before 3.0.5
Configuration X
1 vulnerable
Vulnerable SoftwareAffected Versions
Briny Diving Wordpress Theme
Before 1.2.2000
Configuration Y
1 vulnerable
Vulnerable SoftwareAffected Versions
Tornados
Before 1.1.2001
Configuration Z
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.57.4
Gridiron
Before 1.0.2
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Yungen Digital/marketing Agency
Before 1.0.1
Configuration B
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.57.3
Fc United Football
Before 1.0.7
Configuration C
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.57.2
Bugster Pests Control
Before 1.0.2
Configuration D
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.57
Rumble Single Fighter Boxer, News, Gym, Store
Before 1.0.4
Configuration E
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.56
Tacticool Shooting Range Wordpress Theme
Before 1.0.1
Configuration F
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.55.4
Coinpress Cryptocurrency Magazine & Blog Wordpress Theme
Before 1.0.2
Configuration G
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.55.7
Vihara Ashram, Buddhist
Before 1.1.2001
Configuration H
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.55.3
Katelyn Gutenberg Wordpress Blog Theme
Before 1.0.4
Configuration I
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.55.1
Heaven 11 Multiskin Property Theme
Before 1.0.2
Configuration J
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.54
Especio Food Gutenberg Theme
Before 1.0.1
Configuration K
1 vulnerable
Vulnerable SoftwareAffected Versions
Partiso Electioncampaign
Before 1.1.2002
Configuration L
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.53.3
Kargo Freight Transport
Before 1.1.2004
Configuration M
1 vulnerable
Vulnerable SoftwareAffected Versions
Maxify Startup Blog
Before 1.0.4
Configuration N
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.53.1
Lingvico Language Learning School
Before 1.0.3
Configuration O
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.53.2
Aldo Gutenberg Wordpress Blog Theme
Before 1.0.2
Configuration P
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.52.2
Vixus Startup / Mobile Application
Before 1.0.4
Configuration Q
1 vulnerable
Vulnerable SoftwareAffected Versions
Wellspring Water Filter Systems
Before 1.0.3
Configuration R
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.52.1
Nazareth Church
Before 1.0.5
Configuration S
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.53
Tediss Soft Play Area, Cafe & Child Care Center
Before 1.0.3
Configuration T
1 vulnerable
Vulnerable SoftwareAffected Versions
Yolox Startup Magazine & Blog Wordpress Theme
Before 1.0.3
Configuration U
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.51.3
Meals And Wheels Food Truck
Before 1.0.3
Configuration V
1 vulnerable
Vulnerable SoftwareAffected Versions
Rosalinda Vegetarian & Health Coach
Before 1.0.3
Configuration W
1 vulnerable
Vulnerable SoftwareAffected Versions
Vapester
Before 1.1.2001
Configuration X
1 vulnerable
Vulnerable SoftwareAffected Versions
Modern Housewife Housewife And Family Blog
Before 1.0.2
Configuration Y
1 vulnerable
Vulnerable SoftwareAffected Versions
Chainpress
Before 1.0.3
Configuration Z
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.51.1
Justitia Multiskin Lawyer Theme
Before 1.0.3
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Hobo Digital Nomad Blog
Before 1.0.3
Configuration B
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.50.1
Rhodos Creative Corporate Wordpress Theme
Before 1.3.2001
Configuration C
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.50
Buzz Stone Magazine & Blog
Before 1.0.3
Configuration D
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.0.49.10
Corredo Sport Event
Before 1.1.2003
Configuration E
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.49.8
Savejulia Personal Fundraising Campaign
Before 1.0.3
Configuration F
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.49.6
Bonkozoo Zoo
Before 1.0.3
Configuration G
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.49.6.2
Renewal Plastic Surgeon Clinic
Before 1.0.3
Configuration H
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.49.5
Gloss Blog
Before 1.0.1
Configuration I
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.58.2
Plumbing Repair, Building & Construction Wordpress Theme
Before 3.0.1
Configuration J
2 vulnerable
Vulnerable SoftwareAffected Versions
Addons
Version 1.6.61.2
Topper Theme And Skins
All versions

Related CWEs

CWE-862
Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-94
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (2)

Source: cve@mitre.org
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory

Timeline

No history available yet.