{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-03-09T23:41:34", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2020-10257", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AC:L/AV:N/A:H/C:H/I:H/PR:N/S:U/UI:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/", "refsource": "MISC", "url": "https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2020-10257", "datePublished": "2020-03-09T23:41:34", "dateReserved": "2020-03-09T00:00:00", "dateUpdated": "2020-03-09T23:41:34", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.70.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "415D8A2D-344D-4A75-A834-C6C4C68ACF47", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:ozeum-museum:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "76F58E84-8810-4221-BC84-5B152A53529D", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.70.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "415D8A2D-344D-4A75-A834-C6C4C68ACF47", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:chit_club-board_games:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "B9A00971-2A40-476B-BB49-4D0FA36DE6CA", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.67:*:*:*:*:wordpress:*:*", "matchCriteriaId": "0F2EF7DE-F1C2-4245-A5EF-7BBD702B76F0", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:yottis-simple_portfolio:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "7AF13B64-D55F-4D02-9D77-95CF994AE995", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.66:*:*:*:*:wordpress:*:*", "matchCriteriaId": "3661314B-3DD1-495E-9EDC-3A01725A06E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:helion-agency_\\&portfolio:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "EE4A6B17-FB56-4BCB-A725-B8BD0A1031A2", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.66:*:*:*:*:wordpress:*:*", "matchCriteriaId": "3661314B-3DD1-495E-9EDC-3A01725A06E7", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:amuli:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "CC9A01E6-7BFB-4FC7-B3AA-CC812DBEC186", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.65:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F96C11A5-9A64-4F0D-A9B8-308C4A06B997", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:nelson-barbershop_\\+_tattoo_salon:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "3A335E4B-84C4-4FC7-BD47-6D939ED5782C", "versionEndExcluding": "1.0.1.2001", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.65:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F96C11A5-9A64-4F0D-A9B8-308C4A06B997", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:hallelujah-church:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "7700EC98-EB55-420A-B194-B394C5479827", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.65:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F96C11A5-9A64-4F0D-A9B8-308C4A06B997", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:right_way:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "150D52DF-FE9F-46CC-AA67-D0F9F9D27593", "versionEndExcluding": "4.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.65:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F96C11A5-9A64-4F0D-A9B8-308C4A06B997", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:prider-pride_fest:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "79D33A86-DB23-4903-B241-8A42D290C9DF", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.62.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "7ECD4BD2-C6E4-4B61-B4D1-ABB96C151153", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:mystik-esoterics:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "3AA23F39-84FE-43DE-80BF-9A0F5A13E630", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.62.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "7ECD4BD2-C6E4-4B61-B4D1-ABB96C151153", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:skydiving_and_flying_company:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "87B005BC-1CBD-47C2-8D99-40F82DE0EDB3", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.62.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "DDF94FB5-C3CB-4272-9382-7BD1770C454A", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:dronex-aerial_photography_services:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A781A3AB-613E-4FC6-A2F9-9D644261C21C", "versionEndExcluding": "1.1.2001", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.61.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "089C99E9-CB27-4A5B-B5C4-ABCF34619C97", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:samadhi-buddhist:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "EFE13FB9-41A3-4EAC-9E01-13300957BF87", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.61.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "7AE5EF9D-ABDA-4F54-9A61-F2019C2BC859", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:tantum-rent_a_car\\,_rent_a_bike\\,_rent_a_scooter_multiskin_theme:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "45A34C98-9240-483F-99D0-C5FDC2AA0D3D", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.61.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "089C99E9-CB27-4A5B-B5C4-ABCF34619C97", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:scientia-public_library:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A3EB47EC-7629-4467-8378-A5E3FCBB853C", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.61.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "089C99E9-CB27-4A5B-B5C4-ABCF34619C97", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:blabber:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "0B19EEE4-6E11-4AEF-804C-16277D952B39", "versionEndExcluding": "1.5.2009", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.61.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "E3EA645A-993C-42A0-A80B-F0A661D15633", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:impacto_patronus_multi-landing:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "6F9A55CA-206F-4A2B-B86E-243D19474DDB", "versionEndExcluding": "1.1.2001", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.61:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F7C95469-9D20-4591-A0BA-C3965DD36083", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:rare_radio:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "8ADA9804-F197-47AD-ADEE-616E913834D7", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.60:*:*:*:*:wordpress:*:*", "matchCriteriaId": "5E9E0369-067F-4186-9D5D-33CA5EC9C791", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:piqes-creative_startup_\\&_agency_wordpress_theme:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "EE320DA3-CC76-499A-A677-F3DA87E0B986", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.59.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "234568F6-471D-4B48-AEEC-503B17C86C5A", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:kratz-digital_agency:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "23A4FDDE-F120-46F1-ABD7-B82BDAD2A492", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.59.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "1DBF97DA-57D9-439B-B143-660F6A61EB5C", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:pixefy:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "C16B1817-9FBB-4EEE-9E86-3ECDCBB8B504", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.59.1.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "6A4EB921-5FCA-45A2-BFA5-9CD80618EC8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:netmix-broadband_\\&_telecom:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "CF93FC05-3096-4279-B2BE-8DEF99CC49ED", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.59:*:*:*:*:wordpress:*:*", "matchCriteriaId": "3CB9A69F-36AF-4BC8-91B9-662F3D93289B", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:kids_care:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A3AC4B03-2C61-4D67-9C20-3DC523A24B48", "versionEndExcluding": "3.0.5", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.58.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "9249BF20-B351-4512-9811-9266942265D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:briny-diving_wordpress_theme:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "4E588690-A2D2-4A98-9C8F-07CC7C9A8C4D", "versionEndExcluding": "1.2.2000", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.57.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "41F85647-F147-4AC8-B218-ECA404225F7D", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:tornados:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "04BD29FF-6355-4DBA-9289-D55C01459EE2", "versionEndExcluding": "1.1.2001", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.57.4:*:*:*:*:wordpress:*:*", "matchCriteriaId": "1BA29CAB-0BB3-405D-A765-80AD9F96BC79", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:gridiron:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "FBF5DC5A-2B7F-41E4-87B8-E8D7FBC86414", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.57.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "0BFA7BBD-0DD9-4E6D-81E3-F97307046178", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:yungen-digital\\/marketing_agency:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D708AC36-90A1-429E-B57B-5F5623FFF05D", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.57.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "41F85647-F147-4AC8-B218-ECA404225F7D", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:fc_united-football:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D7EAE9F1-3D4B-4295-BA23-F9236B43FF34", "versionEndExcluding": "1.0.7", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.57.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "0BFA7BBD-0DD9-4E6D-81E3-F97307046178", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:bugster-pests_control:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "2306DD6E-97D4-4138-957A-EB97FBC56575", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.57:*:*:*:*:wordpress:*:*", "matchCriteriaId": "72DDDE9D-0318-4E2D-B823-5E8C131A8C6A", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:rumble-single_fighter_boxer\\,_news\\,_gym\\,_store:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "65F561FD-ABEF-4A54-8A79-36275DFF41B8", "versionEndExcluding": "1.0.4", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.56:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D9D8E72C-E175-4BAF-931D-08BBADCFE8C7", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:tacticool-shooting_range_wordpress_theme:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F5455FBD-2F66-462A-85E1-317357FC8DC1", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.55.4:*:*:*:*:wordpress:*:*", "matchCriteriaId": "FF760417-7D3C-4318-A534-AD3BF2F90A34", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:coinpress-cryptocurrency_magazine_\\&_blog_wordpress_theme:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "868125DA-4B87-44C2-92F8-312CC2012B4F", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.55.7:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A7114AAF-A988-4D9E-8075-B8E09D234835", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:vihara-ashram\\,_buddhist:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "5BD68932-E838-432F-8473-84B3F272396D", "versionEndExcluding": "1.1.2001", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.55.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "EE14B83E-CD6E-45C6-97ED-4DF9C765B8C5", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:katelyn-gutenberg_wordpress_blog_theme:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "26CAE12E-D7BA-4670-86C2-5D8E538F3A6C", "versionEndExcluding": "1.0.4", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.55.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "292EFA6F-4DDD-484E-999E-A931059A98A7", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:heaven_11-multiskin_property_theme:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "2C9477E5-0E73-49A0-9420-4EA4DD750AD5", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.54:*:*:*:*:wordpress:*:*", "matchCriteriaId": "0A95FDC3-F37A-4D19-B252-1B5DCD041D4C", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:especio-food_gutenberg_theme:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F0E5638A-164E-482B-A19D-032F871F9914", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.53.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "727050AA-319A-472A-BC47-A7C52D3D78A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:partiso_electioncampaign:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F715FE4B-1C1B-4728-9854-8C67A77B2FE4", "versionEndExcluding": "1.1.2002", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.53.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "7B8B2A0B-A18A-4F61-9E05-5B5A1E887C0A", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:kargo-freight_transport:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "DF407634-F80B-4FF2-B496-9338319EC333", "versionEndExcluding": "1.1.2004", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.53.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "79C619F5-8F21-4D83-B480-472ABB74D78A", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:maxify-startup_blog:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "152E3D37-488D-40EF-8650-55EB0E55D266", "versionEndExcluding": "1.0.4", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.53.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "727050AA-319A-472A-BC47-A7C52D3D78A1", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:lingvico-language_learning_school:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F3E948CD-78E2-45C0-87D1-9912FE3295D2", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.53.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "79C619F5-8F21-4D83-B480-472ABB74D78A", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:aldo-gutenberg_wordpress_blog_theme:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "526A096A-DDC6-4BB7-87D4-C30946D5956E", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.52.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "4E05F3AE-0D09-47DF-ACC2-58E656E87FCA", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:vixus-startup_\\/_mobile_application:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F6431FAE-D3F2-4F0B-8E2E-B3AF958F589F", "versionEndExcluding": "1.0.4", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.52.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "832709EC-9F72-425E-A091-4BA3B30D44FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:wellspring_water_filter_systems:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "4E370374-4060-459A-905B-55D9A01E7660", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.52.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "832709EC-9F72-425E-A091-4BA3B30D44FD", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:nazareth-church:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "4F6E1F20-427A-4D01-800B-96F64092E968", "versionEndExcluding": "1.0.5", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.53:*:*:*:*:wordpress:*:*", "matchCriteriaId": "ED35A9AC-DDEC-49A9-9154-EB9C13B3BC4C", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:tediss-soft_play_area\\,_cafe_\\&_child_care_center:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "B097B9AD-C06D-474C-BB71-6F3CC6F3EC2F", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.51.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "B06D0160-ADC8-4AE7-B35C-64862D850964", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:yolox-startup_magazine_\\&_blog_wordpress_theme:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "868BCA71-CCC3-4617-9747-ACC6E3240E00", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.51.3:*:*:*:*:wordpress:*:*", "matchCriteriaId": "B06D0160-ADC8-4AE7-B35C-64862D850964", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:meals_and_wheels-food_truck:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D386062B-F308-4ED0-A30C-0B86F57DC623", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.51.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "CD6FABBE-A686-4EE2-AFAE-7D78CF3B4064", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:rosalinda-vegetarian_\\&_health_coach:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "5D92C6CD-B6D7-4782-8B43-7856CF11D04F", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.50:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A40C76BD-DD5E-4546-8D8E-1496069C0B38", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:vapester:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "23E53397-A8CB-480F-AE32-2D2092B7E382", "versionEndExcluding": "1.1.2001", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.50:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A40C76BD-DD5E-4546-8D8E-1496069C0B38", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:modern_housewife-housewife_and_family_blog:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "78687932-3E1F-4C47-96BA-E0BF25FBFACD", "versionEndExcluding": "1.0.2", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.50.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "1B364A8C-228A-44A4-80B1-8E471C06493B", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:chainpress:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F44C865E-FC06-4CFA-848E-80CA3C3A1987", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.51.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "CD6FABBE-A686-4EE2-AFAE-7D78CF3B4064", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:justitia-multiskin_lawyer_theme:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "1F431DFE-C643-4CDA-89D6-25BBBA91491C", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.50:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A40C76BD-DD5E-4546-8D8E-1496069C0B38", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:hobo_digital_nomad_blog:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "4D25045C-BDF8-4A5C-96A3-7F45CD4A1CDF", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.50.1:*:*:*:*:wordpress:*:*", "matchCriteriaId": "1B364A8C-228A-44A4-80B1-8E471C06493B", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:rhodos-creative_corporate_wordpress_theme:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "0D8858EB-787E-45D1-B1C2-5D023840BCCA", "versionEndExcluding": "1.3.2001", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.50:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A40C76BD-DD5E-4546-8D8E-1496069C0B38", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:buzz_stone-magazine_\\&_blog:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "A18D53D3-1D92-43A8-AB72-0C971C6A8C51", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.0.49.10:*:*:*:*:wordpress:*:*", "matchCriteriaId": "F7EDB5DE-C5E5-4C68-A83C-EF7C6C630163", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:corredo_sport_event:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "431FFDA6-254A-4387-9894-CCC5AFA9D573", "versionEndExcluding": "1.1.2003", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.49.8:*:*:*:*:wordpress:*:*", "matchCriteriaId": "533F071F-26BB-4978-91E3-97FECD4EECDE", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:savejulia_personal_fundraising_campaign:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "7159FD8E-6E68-4FC7-AA46-31205226DE0C", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.49.6:*:*:*:*:wordpress:*:*", "matchCriteriaId": "310CFAEA-F13F-4B15-8E9A-13AE7CFFEA58", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:bonkozoo_zoo:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "DAA36195-F528-4F08-A0A5-A87C6BD9995A", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.49.6.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "43002470-1B51-44AB-A07E-F7796443987B", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:renewal-plastic_surgeon_clinic:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "B206FC3A-C47F-4D83-8848-28A1E376AC46", "versionEndExcluding": "1.0.3", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.49.5:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D608B893-4F2D-4828-91F8-2E4B597A3C04", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:gloss_blog:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "8A379218-18C2-4F3D-912B-5999628796AA", "versionEndExcluding": "1.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.58.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "9249BF20-B351-4512-9811-9266942265D0", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:plumbing-repair\\,_building_\\&_construction_wordpress_theme:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "469075B3-560A-4EFD-8B81-62A6FFBC5853", "versionEndExcluding": "3.0.1", "vulnerable": true}], "negate": false, "operator": "AND"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:themerex:addons:1.6.61.2:*:*:*:*:wordpress:*:*", "matchCriteriaId": "089C99E9-CB27-4A5B-B5C4-ABCF34619C97", "vulnerable": true}, {"criteria": "cpe:2.3:a:themerex:topper_theme_and_skins:-:*:*:*:*:wordpress:*:*", "matchCriteriaId": "4ED89805-5F82-40BA-B669-7416602E5938", "vulnerable": true}], "negate": false, "operator": "AND"}]}], "descriptions": [{"lang": "en", "value": "The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter."}, {"lang": "es", "value": "El plugin ThemeREX Addons antes del 09-03-2020 para WordPress, presenta una falta de control de acceso en el endpoint de la API REST /trx_addons/v2/get/sc_layout, permitiendo que funciones PHP sean ejecutadas por cualquier usuario, porque el archivo includes/plugin.rest-api.php llama a la funci\u00f3n trx_addons_rest_get_sc_layout con un par\u00e1metro sc no seguro."}], "id": "CVE-2020-10257", "lastModified": "2021-07-21T11:39:23.747", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "cve@mitre.org", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-10T00:15:10.757", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}, {"lang": "en", "value": "CWE-94"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}