CVE & CISA-KEV Catalog

CVE-2020-10257

CRITICALEPSS 95th pctl
9.8
CVSS v3
NVD

Description

The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.

How to fix

Remediation Available
aldo-gutenberg wordpress blog themeNVD
Affected:< 1.0.2Fixed in:1.0.2CVE-2020-10257derived from NVD
amuliNVD
Affected:< 1.0.2Fixed in:1.0.2CVE-2020-10257derived from NVD
blabberNVD
Affected:< 1.5.2009Fixed in:1.5.2009CVE-2020-10257derived from NVD
bonkozoo zooNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
briny-diving wordpress themeNVD
Affected:< 1.2.2000Fixed in:1.2.2000CVE-2020-10257derived from NVD
bugster-pests controlNVD
Affected:< 1.0.2Fixed in:1.0.2CVE-2020-10257derived from NVD
buzz stone-magazine \& blogNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
chainpressNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
chit club-board gamesNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD
coinpress-cryptocurrency magazine \& blog wordpress themeNVD
Affected:< 1.0.2Fixed in:1.0.2CVE-2020-10257derived from NVD
corredo sport eventNVD
Affected:< 1.1.2003Fixed in:1.1.2003CVE-2020-10257derived from NVD
dronex-aerial photography servicesNVD
Affected:< 1.1.2001Fixed in:1.1.2001CVE-2020-10257derived from NVD
especio-food gutenberg themeNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD
fc united-footballNVD
Affected:< 1.0.7Fixed in:1.0.7CVE-2020-10257derived from NVD
gloss blogNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD
gridironNVD
Affected:< 1.0.2Fixed in:1.0.2CVE-2020-10257derived from NVD
hallelujah-churchNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD
heaven 11-multiskin property themeNVD
Affected:< 1.0.2Fixed in:1.0.2CVE-2020-10257derived from NVD
helion-agency \&portfolioNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
hobo digital nomad blogNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
impacto patronus multi-landingNVD
Affected:< 1.1.2001Fixed in:1.1.2001CVE-2020-10257derived from NVD
justitia-multiskin lawyer themeNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
kargo-freight transportNVD
Affected:< 1.1.2004Fixed in:1.1.2004CVE-2020-10257derived from NVD
katelyn-gutenberg wordpress blog themeNVD
Affected:< 1.0.4Fixed in:1.0.4CVE-2020-10257derived from NVD
kids careNVD
Affected:< 3.0.5Fixed in:3.0.5CVE-2020-10257derived from NVD
kratz-digital agencyNVD
Affected:< 1.0.2Fixed in:1.0.2CVE-2020-10257derived from NVD
lingvico-language learning schoolNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
maxify-startup blogNVD
Affected:< 1.0.4Fixed in:1.0.4CVE-2020-10257derived from NVD
meals and wheels-food truckNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
modern housewife-housewife and family blogNVD
Affected:< 1.0.2Fixed in:1.0.2CVE-2020-10257derived from NVD
mystik-esotericsNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD
nazareth-churchNVD
Affected:< 1.0.5Fixed in:1.0.5CVE-2020-10257derived from NVD
nelson-barbershop \+ tattoo salonNVD
Affected:< 1.0.1.2001Fixed in:1.0.1.2001CVE-2020-10257derived from NVD
netmix-broadband \& telecomNVD
Affected:< 1.0.2Fixed in:1.0.2CVE-2020-10257derived from NVD
ozeum-museumNVD
Affected:< 1.0.2Fixed in:1.0.2CVE-2020-10257derived from NVD
partiso electioncampaignNVD
Affected:< 1.1.2002Fixed in:1.1.2002CVE-2020-10257derived from NVD
piqes-creative startup \& agency wordpress themeNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD
pixefyNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD
plumbing-repair\, building \& construction wordpress themeNVD
Affected:< 3.0.1Fixed in:3.0.1CVE-2020-10257derived from NVD
prider-pride festNVD
Affected:< 1.0.2Fixed in:1.0.2CVE-2020-10257derived from NVD
rare radioNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD
renewal-plastic surgeon clinicNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
rhodos-creative corporate wordpress themeNVD
Affected:< 1.3.2001Fixed in:1.3.2001CVE-2020-10257derived from NVD
right wayNVD
Affected:< 4.0.1Fixed in:4.0.1CVE-2020-10257derived from NVD
rosalinda-vegetarian \& health coachNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
rumble-single fighter boxer\, news\, gym\, storeNVD
Affected:< 1.0.4Fixed in:1.0.4CVE-2020-10257derived from NVD
samadhi-buddhistNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD
savejulia personal fundraising campaignNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
scientia-public libraryNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD
skydiving and flying companyNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD
tacticool-shooting range wordpress themeNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD
tantum-rent a car\, rent a bike\, rent a scooter multiskin themeNVD
Affected:< 1.0.2Fixed in:1.0.2CVE-2020-10257derived from NVD
tediss-soft play area\, cafe \& child care centerNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
tornadosNVD
Affected:< 1.1.2001Fixed in:1.1.2001CVE-2020-10257derived from NVD
vapesterNVD
Affected:< 1.1.2001Fixed in:1.1.2001CVE-2020-10257derived from NVD
vihara-ashram\, buddhistNVD
Affected:< 1.1.2001Fixed in:1.1.2001CVE-2020-10257derived from NVD
vixus-startup \/ mobile applicationNVD
Affected:< 1.0.4Fixed in:1.0.4CVE-2020-10257derived from NVD
wellspring water filter systemsNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
yolox-startup magazine \& blog wordpress themeNVD
Affected:< 1.0.3Fixed in:1.0.3CVE-2020-10257derived from NVD
yottis-simple portfolioNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD
yungen-digital\/marketing agencyNVD
Affected:< 1.0.1Fixed in:1.0.1CVE-2020-10257derived from NVD

Remediation is compiled from vendor and distribution security advisories. Always confirm against the linked source for your exact version and platform.

CVSS v3 Vector

Exploitability

Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ScopeUnchanged

Impact

ConfidentialityHigh
IntegrityHigh
AvailabilityHigh

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploit Intelligence

8.88%probability of exploitation in 30 days
95thpercentile

High risk: more likely to be exploited than 95% of all known CVEs.

References

Embed a live status badge for CVE-2020-10257
CVE-2020-10257 severity badge

Markdown

[![CVE-2020-10257](https://tridentstack.com/cve/badge/CVE-2020-10257.svg)](https://tridentstack.com/cve/CVE-2020-10257)

HTML

<a href="https://tridentstack.com/cve/CVE-2020-10257"><img src="https://tridentstack.com/cve/badge/CVE-2020-10257.svg" alt="CVE-2020-10257"></a>

Find and fix vulnerabilities across your fleet

TridentStack Control continuously scans your Windows, macOS, and Linux fleet for known vulnerabilities, prioritizes them by severity and active exploitation, and patches them automatically.

Start free

This product uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog. Data as of 2024-11-21.