CVE-2020-10257
10.03.2020, 00:15
The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.
| Vendor | Product | Version |
|---|---|---|
| themerex | addons | 1.70.3 |
| themerex | ozeum-museum | 𝑥 < 1.0.2 |
| themerex | addons | 1.70.3 |
| themerex | chit_club-board_games | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.67 |
| themerex | yottis-simple_portfolio | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.66 |
| themerex | helion-agency_\&portfolio | 𝑥 < 1.0.3 |
| themerex | addons | 1.6.66 |
| themerex | amuli | 𝑥 < 1.0.2 |
| themerex | addons | 1.6.65 |
| themerex | nelson-barbershop_\+_tattoo_salon | 𝑥 < 1.0.1.2001 |
| themerex | addons | 1.6.65 |
| themerex | hallelujah-church | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.65 |
| themerex | right_way | 𝑥 < 4.0.1 |
| themerex | addons | 1.6.65 |
| themerex | prider-pride_fest | 𝑥 < 1.0.2 |
| themerex | addons | 1.6.62.3 |
| themerex | mystik-esoterics | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.62.3 |
| themerex | skydiving_and_flying_company | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.62.1 |
| themerex | dronex-aerial_photography_services | 𝑥 < 1.1.2001 |
| themerex | addons | 1.6.61.2 |
| themerex | samadhi-buddhist | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.61.3 |
| themerex | tantum-rent_a_car\,_rent_a_bike\,_rent_a_scooter_multiskin_theme | 𝑥 < 1.0.2 |
| themerex | addons | 1.6.61.2 |
| themerex | scientia-public_library | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.61.2 |
| themerex | blabber | 𝑥 < 1.5.2009 |
| themerex | addons | 1.6.61.1 |
| themerex | impacto_patronus_multi-landing | 𝑥 < 1.1.2001 |
| themerex | addons | 1.6.61 |
| themerex | rare_radio | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.60 |
| themerex | piqes-creative_startup_\&_agency_wordpress_theme | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.59.3 |
| themerex | kratz-digital_agency | 𝑥 < 1.0.2 |
| themerex | addons | 1.6.59.2 |
| themerex | pixefy | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.59.1.1 |
| themerex | netmix-broadband_\&_telecom | 𝑥 < 1.0.2 |
| themerex | addons | 1.6.59 |
| themerex | kids_care | 𝑥 < 3.0.5 |
| themerex | addons | 1.6.58.2 |
| themerex | briny-diving_wordpress_theme | 𝑥 < 1.2.2000 |
| themerex | addons | 1.6.57.3 |
| themerex | tornados | 𝑥 < 1.1.2001 |
| themerex | addons | 1.6.57.4 |
| themerex | gridiron | 𝑥 < 1.0.2 |
| themerex | addons | 1.6.57.2 |
| themerex | yungen-digital\/marketing_agency | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.57.3 |
| themerex | fc_united-football | 𝑥 < 1.0.7 |
| themerex | addons | 1.6.57.2 |
| themerex | bugster-pests_control | 𝑥 < 1.0.2 |
| themerex | addons | 1.6.57 |
| themerex | rumble-single_fighter_boxer\,_news\,_gym\,_store | 𝑥 < 1.0.4 |
| themerex | addons | 1.6.56 |
| themerex | tacticool-shooting_range_wordpress_theme | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.55.4 |
| themerex | coinpress-cryptocurrency_magazine_\&_blog_wordpress_theme | 𝑥 < 1.0.2 |
| themerex | addons | 1.6.55.7 |
| themerex | vihara-ashram\,_buddhist | 𝑥 < 1.1.2001 |
| themerex | addons | 1.6.55.3 |
| themerex | katelyn-gutenberg_wordpress_blog_theme | 𝑥 < 1.0.4 |
| themerex | addons | 1.6.55.1 |
| themerex | heaven_11-multiskin_property_theme | 𝑥 < 1.0.2 |
| themerex | addons | 1.6.54 |
| themerex | especio-food_gutenberg_theme | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.53.1 |
| themerex | partiso_electioncampaign | 𝑥 < 1.1.2002 |
| themerex | addons | 1.6.53.3 |
| themerex | kargo-freight_transport | 𝑥 < 1.1.2004 |
| themerex | addons | 1.6.53.2 |
| themerex | maxify-startup_blog | 𝑥 < 1.0.4 |
| themerex | addons | 1.6.53.1 |
| themerex | lingvico-language_learning_school | 𝑥 < 1.0.3 |
| themerex | addons | 1.6.53.2 |
| themerex | aldo-gutenberg_wordpress_blog_theme | 𝑥 < 1.0.2 |
| themerex | addons | 1.6.52.2 |
| themerex | vixus-startup_\/_mobile_application | 𝑥 < 1.0.4 |
| themerex | addons | 1.6.52.1 |
| themerex | wellspring_water_filter_systems | 𝑥 < 1.0.3 |
| themerex | addons | 1.6.52.1 |
| themerex | nazareth-church | 𝑥 < 1.0.5 |
| themerex | addons | 1.6.53 |
| themerex | tediss-soft_play_area\,_cafe_\&_child_care_center | 𝑥 < 1.0.3 |
| themerex | addons | 1.6.51.3 |
| themerex | yolox-startup_magazine_\&_blog_wordpress_theme | 𝑥 < 1.0.3 |
| themerex | addons | 1.6.51.3 |
| themerex | meals_and_wheels-food_truck | 𝑥 < 1.0.3 |
| themerex | addons | 1.6.51.1 |
| themerex | rosalinda-vegetarian_\&_health_coach | 𝑥 < 1.0.3 |
| themerex | addons | 1.6.50 |
| themerex | vapester | 𝑥 < 1.1.2001 |
| themerex | addons | 1.6.50 |
| themerex | modern_housewife-housewife_and_family_blog | 𝑥 < 1.0.2 |
| themerex | addons | 1.6.50.1 |
| themerex | chainpress | 𝑥 < 1.0.3 |
| themerex | addons | 1.6.51.1 |
| themerex | justitia-multiskin_lawyer_theme | 𝑥 < 1.0.3 |
| themerex | addons | 1.6.50 |
| themerex | hobo_digital_nomad_blog | 𝑥 < 1.0.3 |
| themerex | addons | 1.6.50.1 |
| themerex | rhodos-creative_corporate_wordpress_theme | 𝑥 < 1.3.2001 |
| themerex | addons | 1.6.50 |
| themerex | buzz_stone-magazine_\&_blog | 𝑥 < 1.0.3 |
| themerex | addons | 1.0.49.10 |
| themerex | corredo_sport_event | 𝑥 < 1.1.2003 |
| themerex | addons | 1.6.49.8 |
| themerex | savejulia_personal_fundraising_campaign | 𝑥 < 1.0.3 |
| themerex | addons | 1.6.49.6 |
| themerex | bonkozoo_zoo | 𝑥 < 1.0.3 |
| themerex | addons | 1.6.49.6.2 |
| themerex | renewal-plastic_surgeon_clinic | 𝑥 < 1.0.3 |
| themerex | addons | 1.6.49.5 |
| themerex | gloss_blog | 𝑥 < 1.0.1 |
| themerex | addons | 1.6.58.2 |
| themerex | plumbing-repair\,_building_\&_construction_wordpress_theme | 𝑥 < 3.0.1 |
| themerex | addons | 1.6.61.2 |
| themerex | topper_theme_and_skins | - |
𝑥
= Vulnerable software versions