CVE-2020-10257

9.8 CRITICAL

Remote Code Execution

📋 TL;DR

CVE-2020-10257 is a critical remote code execution vulnerability in the ThemeREX Addons WordPress plugin. It allows unauthenticated attackers to execute arbitrary PHP code via an unsafe parameter in the REST API endpoint. All WordPress sites using vulnerable versions of the plugin are affected.

💻 Affected Systems

Products:

ThemeREX Addons WordPress Plugin

Versions: All versions before 2020-03-09

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the ThemeREX Addons plugin enabled. The vulnerability is present in default configurations.

📦 What is this software?

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Addons by Themerex

View all CVEs affecting Addons →

Aldo Gutenberg Wordpress Blog Theme by Themerex

View all CVEs affecting Aldo Gutenberg Wordpress Blog Theme →

Amuli by Themerex

View all CVEs affecting Amuli →

Blabber by Themerex

View all CVEs affecting Blabber →

Bonkozoo Zoo by Themerex

View all CVEs affecting Bonkozoo Zoo →

Briny Diving Wordpress Theme by Themerex

View all CVEs affecting Briny Diving Wordpress Theme →

Bugster Pests Control by Themerex

View all CVEs affecting Bugster Pests Control →

Buzz Stone Magazine \& Blog by Themerex

View all CVEs affecting Buzz Stone Magazine \& Blog →

Chainpress by Themerex

View all CVEs affecting Chainpress →

Chit Club Board Games by Themerex

View all CVEs affecting Chit Club Board Games →

Coinpress Cryptocurrency Magazine \& Blog Wordpress Theme by Themerex

View all CVEs affecting Coinpress Cryptocurrency Magazine \& Blog Wordpress Theme →

Corredo Sport Event by Themerex

View all CVEs affecting Corredo Sport Event →

Dronex Aerial Photography Services by Themerex

View all CVEs affecting Dronex Aerial Photography Services →

Especio Food Gutenberg Theme by Themerex

View all CVEs affecting Especio Food Gutenberg Theme →

Fc United Football by Themerex

View all CVEs affecting Fc United Football →

Gloss Blog by Themerex

View all CVEs affecting Gloss Blog →

Gridiron by Themerex

View all CVEs affecting Gridiron →

Hallelujah Church by Themerex

View all CVEs affecting Hallelujah Church →

Heaven 11 Multiskin Property Theme by Themerex

View all CVEs affecting Heaven 11 Multiskin Property Theme →

Helion Agency \&portfolio by Themerex

View all CVEs affecting Helion Agency \&portfolio →

Hobo Digital Nomad Blog by Themerex

View all CVEs affecting Hobo Digital Nomad Blog →

Impacto Patronus Multi Landing by Themerex

View all CVEs affecting Impacto Patronus Multi Landing →

Justitia Multiskin Lawyer Theme by Themerex

View all CVEs affecting Justitia Multiskin Lawyer Theme →

Kargo Freight Transport by Themerex

View all CVEs affecting Kargo Freight Transport →

Katelyn Gutenberg Wordpress Blog Theme by Themerex

View all CVEs affecting Katelyn Gutenberg Wordpress Blog Theme →

Kids Care by Themerex

View all CVEs affecting Kids Care →

Kratz Digital Agency by Themerex

View all CVEs affecting Kratz Digital Agency →

Lingvico Language Learning School by Themerex

View all CVEs affecting Lingvico Language Learning School →

Maxify Startup Blog by Themerex

View all CVEs affecting Maxify Startup Blog →

Meals And Wheels Food Truck by Themerex

View all CVEs affecting Meals And Wheels Food Truck →

Modern Housewife Housewife And Family Blog by Themerex

View all CVEs affecting Modern Housewife Housewife And Family Blog →

Mystik Esoterics by Themerex

View all CVEs affecting Mystik Esoterics →

Nazareth Church by Themerex

View all CVEs affecting Nazareth Church →

Nelson Barbershop \+ Tattoo Salon by Themerex

View all CVEs affecting Nelson Barbershop \+ Tattoo Salon →

Netmix Broadband \& Telecom by Themerex

View all CVEs affecting Netmix Broadband \& Telecom →

Ozeum Museum by Themerex

View all CVEs affecting Ozeum Museum →

Partiso Electioncampaign by Themerex

View all CVEs affecting Partiso Electioncampaign →

Piqes Creative Startup \& Agency Wordpress Theme by Themerex

View all CVEs affecting Piqes Creative Startup \& Agency Wordpress Theme →

Pixefy by Themerex

View all CVEs affecting Pixefy →

Plumbing Repair\, Building \& Construction Wordpress Theme by Themerex

View all CVEs affecting Plumbing Repair\, Building \& Construction Wordpress Theme →

Prider Pride Fest by Themerex

View all CVEs affecting Prider Pride Fest →

Rare Radio by Themerex

View all CVEs affecting Rare Radio →

Renewal Plastic Surgeon Clinic by Themerex

View all CVEs affecting Renewal Plastic Surgeon Clinic →

Rhodos Creative Corporate Wordpress Theme by Themerex

View all CVEs affecting Rhodos Creative Corporate Wordpress Theme →

Right Way by Themerex

View all CVEs affecting Right Way →

Rosalinda Vegetarian \& Health Coach by Themerex

View all CVEs affecting Rosalinda Vegetarian \& Health Coach →

Rumble Single Fighter Boxer\, News\, Gym\, Store by Themerex

View all CVEs affecting Rumble Single Fighter Boxer\, News\, Gym\, Store →

Samadhi Buddhist by Themerex

View all CVEs affecting Samadhi Buddhist →

Savejulia Personal Fundraising Campaign by Themerex

View all CVEs affecting Savejulia Personal Fundraising Campaign →

Scientia Public Library by Themerex

View all CVEs affecting Scientia Public Library →

Skydiving And Flying Company by Themerex

View all CVEs affecting Skydiving And Flying Company →

Tacticool Shooting Range Wordpress Theme by Themerex

View all CVEs affecting Tacticool Shooting Range Wordpress Theme →

Tantum Rent A Car\, Rent A Bike\, Rent A Scooter Multiskin Theme by Themerex

View all CVEs affecting Tantum Rent A Car\, Rent A Bike\, Rent A Scooter Multiskin Theme →

Tediss Soft Play Area\, Cafe \& Child Care Center by Themerex

View all CVEs affecting Tediss Soft Play Area\, Cafe \& Child Care Center →

Topper Theme And Skins by Themerex

View all CVEs affecting Topper Theme And Skins →

Tornados by Themerex

View all CVEs affecting Tornados →

Vapester by Themerex

View all CVEs affecting Vapester →

Vihara Ashram\, Buddhist by Themerex

View all CVEs affecting Vihara Ashram\, Buddhist →

Vixus Startup \/ Mobile Application by Themerex

View all CVEs affecting Vixus Startup \/ Mobile Application →

Wellspring Water Filter Systems by Themerex

View all CVEs affecting Wellspring Water Filter Systems →

Yolox Startup Magazine \& Blog Wordpress Theme by Themerex

View all CVEs affecting Yolox Startup Magazine \& Blog Wordpress Theme →

Yottis Simple Portfolio by Themerex

View all CVEs affecting Yottis Simple Portfolio →

Yungen Digital\/marketing Agency by Themerex

View all CVEs affecting Yungen Digital\/marketing Agency →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to install backdoors, steal data, deface websites, or use the server for further attacks.

🟠

Likely Case

Website defacement, malware injection, data theft, or cryptocurrency mining malware installation.

🟢

If Mitigated

No impact if the vulnerable endpoint is properly restricted or the plugin is updated/disabled.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication on publicly accessible WordPress sites.

🏢 Internal Only: MEDIUM - Internal WordPress sites could still be exploited by internal attackers or through compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial with publicly available proof-of-concept code. The vulnerability was actively exploited in the wild before patching.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2020-03-09 or later

Vendor Advisory: https://themerex.net/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find ThemeREX Addons plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable REST endpoint

all

Add code to functions.php to block access to the vulnerable endpoint

add_filter('rest_endpoints', function($endpoints) { if (isset($endpoints['/trx_addons/v2/get/sc_layout'])) { unset($endpoints['/trx_addons/v2/get/sc_layout']); } return $endpoints; });

Disable plugin

all

Temporarily disable ThemeREX Addons plugin until patched

Navigate to WordPress admin → Plugins → Installed Plugins → Deactivate ThemeREX Addons

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block requests to /trx_addons/v2/get/sc_layout endpoint
Restrict access to WordPress admin and REST API endpoints using IP whitelisting or authentication

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → ThemeREX Addons → Version. If version date is before 2020-03-09, you are vulnerable.

Check Version:

wp plugin list --name=trx-addons --field=version (if WP-CLI installed)

Verify Fix Applied:

Verify plugin version is 2020-03-09 or later. Test endpoint access with curl: curl -X POST https://yoursite.com/wp-json/trx_addons/v2/get/sc_layout -d '{"sc":"phpinfo()"}' should return error or no PHP execution.

📡 Detection & Monitoring

Log Indicators:

POST requests to /wp-json/trx_addons/v2/get/sc_layout
Unusual PHP execution errors in web server logs
Suspicious user agents or IPs accessing REST endpoints

Network Indicators:

POST requests to /trx_addons/v2/get/sc_layout with PHP code in parameters
Unusual outbound connections from web server after exploitation

SIEM Query:

source="web_logs" AND (url_path="/wp-json/trx_addons/v2/get/sc_layout" OR url_path="/?rest_route=/trx_addons/v2/get/sc_layout")

📊 Metadata

CVE ID: CVE-2020-10257

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

Published: March 10, 2020

Last Updated: November 21, 2024

🔗 References

https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/ Exploit,Third Party Advisory
https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/ Exploit,Third Party Advisory