TROYANOSYVIRUS
Volver a CVEs

CVE-2020-10257

CRITICAL
9.8

Descripcion

The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.

Detalles CVE

Puntuacion CVSS v3.19.8
SeveridadCRITICAL
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado3/10/2020
Ultima modificacion11/21/2024
Fuentenvd
Avistamientos honeypot0

Productos afectados

themerex:addonsthemerex:aldo-gutenberg_wordpress_blog_themethemerex:amulithemerex:blabberthemerex:bonkozoo_zoothemerex:briny-diving_wordpress_themethemerex:bugster-pests_controlthemerex:buzz_stone-magazine_\&_blogthemerex:chainpressthemerex:chit_club-board_gamesthemerex:coinpress-cryptocurrency_magazine_\&_blog_wordpress_themethemerex:corredo_sport_eventthemerex:dronex-aerial_photography_servicesthemerex:especio-food_gutenberg_themethemerex:fc_united-footballthemerex:gloss_blogthemerex:gridironthemerex:hallelujah-churchthemerex:heaven_11-multiskin_property_themethemerex:helion-agency_\&portfoliothemerex:hobo_digital_nomad_blogthemerex:impacto_patronus_multi-landingthemerex:justitia-multiskin_lawyer_themethemerex:kargo-freight_transportthemerex:katelyn-gutenberg_wordpress_blog_themethemerex:kids_carethemerex:kratz-digital_agencythemerex:lingvico-language_learning_schoolthemerex:maxify-startup_blogthemerex:meals_and_wheels-food_truckthemerex:modern_housewife-housewife_and_family_blogthemerex:mystik-esotericsthemerex:nazareth-churchthemerex:nelson-barbershop_\+_tattoo_salonthemerex:netmix-broadband_\&_telecomthemerex:ozeum-museumthemerex:partiso_electioncampaignthemerex:piqes-creative_startup_\&_agency_wordpress_themethemerex:pixefythemerex:plumbing-repair\,_building_\&_construction_wordpress_themethemerex:prider-pride_festthemerex:rare_radiothemerex:renewal-plastic_surgeon_clinicthemerex:rhodos-creative_corporate_wordpress_themethemerex:right_waythemerex:rosalinda-vegetarian_\&_health_coachthemerex:rumble-single_fighter_boxer\,_news\,_gym\,_storethemerex:samadhi-buddhistthemerex:savejulia_personal_fundraising_campaignthemerex:scientia-public_librarythemerex:skydiving_and_flying_companythemerex:tacticool-shooting_range_wordpress_themethemerex:tantum-rent_a_car\,_rent_a_bike\,_rent_a_scooter_multiskin_themethemerex:tediss-soft_play_area\,_cafe_\&_child_care_centerthemerex:topper_theme_and_skinsthemerex:tornadosthemerex:vapesterthemerex:vihara-ashram\,_buddhistthemerex:vixus-startup_\/_mobile_applicationthemerex:wellspring_water_filter_systemsthemerex:yolox-startup_magazine_\&_blog_wordpress_themethemerex:yottis-simple_portfoliothemerex:yungen-digital\/marketing_agency

Debilidades (CWE)

CWE-94CWE-862

Referencias

https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/(cve@mitre.org)
https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/(af854a3a-2127-422b-91ae-364da2661108)

Correlaciones IOC

Sin correlaciones registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.