CVE-2020-10257

Exploit

EPSS 47.78%
Veröffentlicht 10.03.2020 00:15:10
Zuletzt bearbeitet 21.11.2024 04:55:05
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

ThemeREX Addons (Various Versions) - Missing Authorization

The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.

Mögliche Gegenmaßnahme

ThemeREX Addons: Update to one of the following versions, or a newer patched version: 1.6.49.10, 1.6.49.6, 1.6.49.6.3, 1.6.49.7, 1.6.50.2, 1.6.51.4, 1.6.52.3, 1.6.53.4, 1.6.54.1, 1.6.55.8, 1.6.56.1, 1.6.57.4, 1.6.58.3, 1.6.59.1.2, 1.6.59.4, 1.6.60.1, 1.6.61.1.1, 1.6.61.2.1, 1.6.62.4, 1.6.65.1, 1.6.66.1, 1.6.67.1, 1.70.3.1

Betroffene Produkte Warnungen 0 Metriken 4 CWE 2 Referenzen 5

Weitere Schwachstelleninformationen

SystemWordPress Plugin

≫

Produkt ThemeREX Addons

Version [*, 1.6.49.6)

Version [1.6.49.6.2, 1.6.49.6.3)

Version [1.6.49.8, 1.6.49.9)

Version [1.6.50, 1.6.50.2)

Version [1.6.51, 1.6.51.4)

Version [1.6.52, 1.6.52.3)

Version [1.6.53, 1.6.53.4)

Version [1.6.54, 1.6.54.1)

Version [1.6.55, 1.6.55.8)

Version [1.6.56, 1.6.56.1)

Version [1.6.57, 1.6.57.4)

Version [1.6.58.2, 1.6.58.3)

Version 1.6.59

Version 1.6.59.1

Version [1.6.59.1.1, 1.6.59.1.2)

Version [1.6.59.2, 1.6.59.4)

Version [1.6.60, 1.6.60.1)

Version 1.6.61

Version 1.6.61.1

Version [1.6.61.1.0, 1.6.61.1.1)

Version [1.6.61.2, 1.6.61.2.1)

Version [1.6.65, 1.6.65.1)

Version [1.6.66, 1.6.66.1)

Version [1.6.67, 1.6.67.1)

Version 1.70.3

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Themerex ≫ Addons Version1.70.3 SwPlatformwordpress

Themerex ≫ Ozeum-museum SwPlatformwordpress Version < 1.0.2

Themerex ≫ Addons Version1.70.3 SwPlatformwordpress

Themerex ≫ Chit Club-board Games SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.67 SwPlatformwordpress

Themerex ≫ Yottis-simple Portfolio SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.66 SwPlatformwordpress

Themerex ≫ Helion-agency &portfolio SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.6.66 SwPlatformwordpress

Themerex ≫ Amuli SwPlatformwordpress Version < 1.0.2

Themerex ≫ Addons Version1.6.65 SwPlatformwordpress

Themerex ≫ Nelson-barbershop + Tattoo Salon SwPlatformwordpress Version < 1.0.1.2001

Themerex ≫ Addons Version1.6.65 SwPlatformwordpress

Themerex ≫ Hallelujah-church SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.65 SwPlatformwordpress

Themerex ≫ Right Way SwPlatformwordpress Version < 4.0.1

Themerex ≫ Addons Version1.6.65 SwPlatformwordpress

Themerex ≫ Prider-pride Fest SwPlatformwordpress Version < 1.0.2

Themerex ≫ Addons Version1.6.62.3 SwPlatformwordpress

Themerex ≫ Mystik-esoterics SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.62.3 SwPlatformwordpress

Themerex ≫ Skydiving And Flying Company SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.62.1 SwPlatformwordpress

Themerex ≫ Dronex-aerial Photography Services SwPlatformwordpress Version < 1.1.2001

Themerex ≫ Addons Version1.6.61.2 SwPlatformwordpress

Themerex ≫ Samadhi-buddhist SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.61.3 SwPlatformwordpress

Themerex ≫ Tantum-rent A Car, Rent A Bike, Rent A Scooter Multiskin Theme SwPlatformwordpress Version < 1.0.2

Themerex ≫ Addons Version1.6.61.2 SwPlatformwordpress

Themerex ≫ Scientia-public Library SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.61.2 SwPlatformwordpress

Themerex ≫ Blabber SwPlatformwordpress Version < 1.5.2009

Themerex ≫ Addons Version1.6.61.1 SwPlatformwordpress

Themerex ≫ Impacto Patronus Multi-landing SwPlatformwordpress Version < 1.1.2001

Themerex ≫ Addons Version1.6.61 SwPlatformwordpress

Themerex ≫ Rare Radio SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.60 SwPlatformwordpress

Themerex ≫ Piqes-creative Startup & Agency Wordpress Theme SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.59.3 SwPlatformwordpress

Themerex ≫ Kratz-digital Agency SwPlatformwordpress Version < 1.0.2

Themerex ≫ Addons Version1.6.59.2 SwPlatformwordpress

Themerex ≫ Pixefy SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.59.1.1 SwPlatformwordpress

Themerex ≫ Netmix-broadband & Telecom SwPlatformwordpress Version < 1.0.2

Themerex ≫ Addons Version1.6.59 SwPlatformwordpress

Themerex ≫ Kids Care SwPlatformwordpress Version < 3.0.5

Themerex ≫ Addons Version1.6.58.2 SwPlatformwordpress

Themerex ≫ Briny-diving Wordpress Theme SwPlatformwordpress Version < 1.2.2000

Themerex ≫ Addons Version1.6.57.3 SwPlatformwordpress

Themerex ≫ Tornados SwPlatformwordpress Version < 1.1.2001

Themerex ≫ Addons Version1.6.57.4 SwPlatformwordpress

Themerex ≫ Gridiron SwPlatformwordpress Version < 1.0.2

Themerex ≫ Addons Version1.6.57.2 SwPlatformwordpress

Themerex ≫ Yungen-digital/marketing Agency SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.57.3 SwPlatformwordpress

Themerex ≫ Fc United-football SwPlatformwordpress Version < 1.0.7

Themerex ≫ Addons Version1.6.57.2 SwPlatformwordpress

Themerex ≫ Bugster-pests Control SwPlatformwordpress Version < 1.0.2

Themerex ≫ Addons Version1.6.57 SwPlatformwordpress

Themerex ≫ Rumble-single Fighter Boxer, News, Gym, Store SwPlatformwordpress Version < 1.0.4

Themerex ≫ Addons Version1.6.56 SwPlatformwordpress

Themerex ≫ Tacticool-shooting Range Wordpress Theme SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.55.4 SwPlatformwordpress

Themerex ≫ Coinpress-cryptocurrency Magazine & Blog Wordpress Theme SwPlatformwordpress Version < 1.0.2

Themerex ≫ Addons Version1.6.55.7 SwPlatformwordpress

Themerex ≫ Vihara-ashram, Buddhist SwPlatformwordpress Version < 1.1.2001

Themerex ≫ Addons Version1.6.55.3 SwPlatformwordpress

Themerex ≫ Katelyn-gutenberg Wordpress Blog Theme SwPlatformwordpress Version < 1.0.4

Themerex ≫ Addons Version1.6.55.1 SwPlatformwordpress

Themerex ≫ Heaven 11-multiskin Property Theme SwPlatformwordpress Version < 1.0.2

Themerex ≫ Addons Version1.6.54 SwPlatformwordpress

Themerex ≫ Especio-food Gutenberg Theme SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.53.1 SwPlatformwordpress

Themerex ≫ Partiso Electioncampaign SwPlatformwordpress Version < 1.1.2002

Themerex ≫ Addons Version1.6.53.3 SwPlatformwordpress

Themerex ≫ Kargo-freight Transport SwPlatformwordpress Version < 1.1.2004

Themerex ≫ Addons Version1.6.53.2 SwPlatformwordpress

Themerex ≫ Maxify-startup Blog SwPlatformwordpress Version < 1.0.4

Themerex ≫ Addons Version1.6.53.1 SwPlatformwordpress

Themerex ≫ Lingvico-language Learning School SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.6.53.2 SwPlatformwordpress

Themerex ≫ Aldo-gutenberg Wordpress Blog Theme SwPlatformwordpress Version < 1.0.2

Themerex ≫ Addons Version1.6.52.2 SwPlatformwordpress

Themerex ≫ Vixus-startup / Mobile Application SwPlatformwordpress Version < 1.0.4

Themerex ≫ Addons Version1.6.52.1 SwPlatformwordpress

Themerex ≫ Wellspring Water Filter Systems SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.6.52.1 SwPlatformwordpress

Themerex ≫ Nazareth-church SwPlatformwordpress Version < 1.0.5

Themerex ≫ Addons Version1.6.53 SwPlatformwordpress

Themerex ≫ Tediss-soft Play Area, Cafe & Child Care Center SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.6.51.3 SwPlatformwordpress

Themerex ≫ Yolox-startup Magazine & Blog Wordpress Theme SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.6.51.3 SwPlatformwordpress

Themerex ≫ Meals And Wheels-food Truck SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.6.51.1 SwPlatformwordpress

Themerex ≫ Rosalinda-vegetarian & Health Coach SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.6.50 SwPlatformwordpress

Themerex ≫ Vapester SwPlatformwordpress Version < 1.1.2001

Themerex ≫ Addons Version1.6.50 SwPlatformwordpress

Themerex ≫ Modern Housewife-housewife And Family Blog SwPlatformwordpress Version < 1.0.2

Themerex ≫ Addons Version1.6.50.1 SwPlatformwordpress

Themerex ≫ Chainpress SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.6.51.1 SwPlatformwordpress

Themerex ≫ Justitia-multiskin Lawyer Theme SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.6.50 SwPlatformwordpress

Themerex ≫ Hobo Digital Nomad Blog SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.6.50.1 SwPlatformwordpress

Themerex ≫ Rhodos-creative Corporate Wordpress Theme SwPlatformwordpress Version < 1.3.2001

Themerex ≫ Addons Version1.6.50 SwPlatformwordpress

Themerex ≫ Buzz Stone-magazine & Blog SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.0.49.10 SwPlatformwordpress

Themerex ≫ Corredo Sport Event SwPlatformwordpress Version < 1.1.2003

Themerex ≫ Addons Version1.6.49.8 SwPlatformwordpress

Themerex ≫ Savejulia Personal Fundraising Campaign SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.6.49.6 SwPlatformwordpress

Themerex ≫ Bonkozoo Zoo SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.6.49.6.2 SwPlatformwordpress

Themerex ≫ Renewal-plastic Surgeon Clinic SwPlatformwordpress Version < 1.0.3

Themerex ≫ Addons Version1.6.49.5 SwPlatformwordpress

Themerex ≫ Gloss Blog SwPlatformwordpress Version < 1.0.1

Themerex ≫ Addons Version1.6.58.2 SwPlatformwordpress

Themerex ≫ Plumbing-repair, Building & Construction Wordpress Theme SwPlatformwordpress Version < 3.0.1

Themerex ≫ Addons Version1.6.61.2 SwPlatformwordpress

Themerex ≫ Topper Theme And Skins Version- SwPlatformwordpress

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	47.78%	0.976

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P
cve@mitre.org	9.8	3.9	5.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-862 Missing Authorization

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/

Third Party Advisory

Exploit

https://www.wordfence.com/threat-intel/vulnerabilities/id/1a14b674-620e-4247-a200-92d9f23acbca

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-10257

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-10257

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-10257

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2020-10257