CVE-2020-10257

Name: CVE-2020-10257
Creator: NVD / NIST
Published: 2020-03-10T00:15:10.757+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 8.88%

Last modified Jun 17, 2026

CVE-2020-10257 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.. EPSS estimates a 8.88% chance of exploitation in the next 30 days.

Description

The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

8.88%

94.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Themerex	Addons	1.70.3
Themerex	Ozeum-Museum	< 1.0.2
Themerex	Chit Club-Board Games	< 1.0.1
Themerex	Addons	1.6.67
Themerex	Yottis-Simple Portfolio	< 1.0.1
Themerex	Addons	1.6.66
Themerex	Helion-Agency \&Portfolio	< 1.0.3
Themerex	Amuli	< 1.0.2
Themerex	Addons	1.6.65
Themerex	Nelson-Barbershop \+ Tattoo Salon	< 1.0.1.2001
Themerex	Hallelujah-Church	< 1.0.1
Themerex	Right Way	< 4.0.1
Themerex	Prider-Pride Fest	< 1.0.2
Themerex	Addons	1.6.62.3
Themerex	Mystik-Esoterics	< 1.0.1
Themerex	Skydiving And Flying Company	< 1.0.1
Themerex	Addons	1.6.62.1
Themerex	Dronex-Aerial Photography Services	< 1.1.2001
Themerex	Addons	1.6.61.2
Themerex	Samadhi-Buddhist	< 1.0.1
Themerex	Addons	1.6.61.3
Themerex	Tantum-Rent A Car\, Rent A Bike\, Rent A Scooter Multiskin Theme	< 1.0.2
Themerex	Scientia-Public Library	< 1.0.1
Themerex	Blabber	< 1.5.2009
Themerex	Addons	1.6.61.1
Themerex	Impacto Patronus Multi-Landing	< 1.1.2001
Themerex	Addons	1.6.61
Themerex	Rare Radio	< 1.0.1
Themerex	Addons	1.6.60
Themerex	Piqes-Creative Startup \& Agency Wordpress Theme	< 1.0.1
Themerex	Addons	1.6.59.3
Themerex	Kratz-Digital Agency	< 1.0.2
Themerex	Addons	1.6.59.2
Themerex	Pixefy	< 1.0.1
Themerex	Addons	1.6.59.1.1
Themerex	Netmix-Broadband \& Telecom	< 1.0.2
Themerex	Addons	1.6.59
Themerex	Kids Care	< 3.0.5
Themerex	Addons	1.6.58.2
Themerex	Briny-Diving Wordpress Theme	< 1.2.2000
Themerex	Addons	1.6.57.3
Themerex	Tornados	< 1.1.2001
Themerex	Addons	1.6.57.4
Themerex	Gridiron	< 1.0.2
Themerex	Addons	1.6.57.2
Themerex	Yungen-Digital\/Marketing Agency	< 1.0.1
Themerex	Fc United-Football	< 1.0.7
Themerex	Bugster-Pests Control	< 1.0.2
Themerex	Addons	1.6.57
Themerex	Rumble-Single Fighter Boxer\, News\, Gym\, Store	< 1.0.4

Showing 50 of 103 affected configurations. See NVD for the full list.

References

https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/Exploit, Third Party Advisory
https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/Exploit, Third Party Advisory

Timeline

Published: Mar 10, 2020
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2020-10257?

How severe is CVE-2020-10257?

CVE-2020-10257 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 8.88% probability of exploitation in the next 30 days.

How do I fix CVE-2020-10257?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2020-10257?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST