CVE-2020-10257

Exp

The ThemeREX Addons plugin before 2020-03-09 for WordPress lacks access control on the /trx_addons/v2/get/sc_layout REST API endpoint, allowing for PHP functions to be executed by any users, because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter.

Published: 2020-03-10 Last update: 2024-11-21 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2020-10257 is rated High Exploit Risk (93.7/100): CVSS Critical severity, with high exploitation likelihood (EPSS 66.63%, 99th percentile). 1 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +18.85% over the last day, indicating growing attacker interest. Public exploits are available—assess exposure, apply mitigations, and prioritize patching.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Public exploit references (Exploit-DB) for CVE-2020-10257

EDB-ID Source Kind Published Link
nvd_ref exploit_tag Exploit-DB ↗

Exploit prediction scoring system (EPSS) score for CVE-2020-10257

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-03-20 47.78% 66.63% +18.85%
2 2025-12-19 54.23% 47.78% -6.45%
3 2025-11-21 54.23%

Full EPSS history (19 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2020-10257

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 5.9 [email protected]
9.8 3.0 CRITICAL
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 5.9 [email protected]
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2020-10257

Affected software / configurations for CVE-2020-10257

Vendor Product Version Raw CPE
themerex addons 1.70.3 cpe:2.3:a:themerex:addons:1.70.3:*:*:*:*:wordpress:*:*
themerex ozeum-museum < 1.0.2 cpe:2.3:a:themerex:ozeum-museum:*:*:*:*:*:wordpress:*:*
themerex chit_club-board_games < 1.0.1 cpe:2.3:a:themerex:chit_club-board_games:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.67 cpe:2.3:a:themerex:addons:1.6.67:*:*:*:*:wordpress:*:*
themerex yottis-simple_portfolio < 1.0.1 cpe:2.3:a:themerex:yottis-simple_portfolio:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.66 cpe:2.3:a:themerex:addons:1.6.66:*:*:*:*:wordpress:*:*
themerex helion-agency_\&portfolio < 1.0.3 cpe:2.3:a:themerex:helion-agency_\&portfolio:*:*:*:*:*:wordpress:*:*
themerex amuli < 1.0.2 cpe:2.3:a:themerex:amuli:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.65 cpe:2.3:a:themerex:addons:1.6.65:*:*:*:*:wordpress:*:*
themerex nelson-barbershop_\+_tattoo_salon < 1.0.1.2001 cpe:2.3:a:themerex:nelson-barbershop_\+_tattoo_salon:*:*:*:*:*:wordpress:*:*
themerex hallelujah-church < 1.0.1 cpe:2.3:a:themerex:hallelujah-church:*:*:*:*:*:wordpress:*:*
themerex right_way < 4.0.1 cpe:2.3:a:themerex:right_way:*:*:*:*:*:wordpress:*:*
themerex prider-pride_fest < 1.0.2 cpe:2.3:a:themerex:prider-pride_fest:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.62.3 cpe:2.3:a:themerex:addons:1.6.62.3:*:*:*:*:wordpress:*:*
themerex mystik-esoterics < 1.0.1 cpe:2.3:a:themerex:mystik-esoterics:*:*:*:*:*:wordpress:*:*
themerex skydiving_and_flying_company < 1.0.1 cpe:2.3:a:themerex:skydiving_and_flying_company:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.62.1 cpe:2.3:a:themerex:addons:1.6.62.1:*:*:*:*:wordpress:*:*
themerex dronex-aerial_photography_services < 1.1.2001 cpe:2.3:a:themerex:dronex-aerial_photography_services:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.61.2 cpe:2.3:a:themerex:addons:1.6.61.2:*:*:*:*:wordpress:*:*
themerex samadhi-buddhist < 1.0.1 cpe:2.3:a:themerex:samadhi-buddhist:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.61.3 cpe:2.3:a:themerex:addons:1.6.61.3:*:*:*:*:wordpress:*:*
themerex tantum-rent_a_car\,_rent_a_bike\,_rent_a_scooter_multiskin_theme < 1.0.2 cpe:2.3:a:themerex:tantum-rent_a_car\,_rent_a_bike\,_rent_a_scooter_multiskin_theme:*:*:*:*:*:wordpress:*:*
themerex scientia-public_library < 1.0.1 cpe:2.3:a:themerex:scientia-public_library:*:*:*:*:*:wordpress:*:*
themerex blabber < 1.5.2009 cpe:2.3:a:themerex:blabber:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.61.1 cpe:2.3:a:themerex:addons:1.6.61.1:*:*:*:*:wordpress:*:*
themerex impacto_patronus_multi-landing < 1.1.2001 cpe:2.3:a:themerex:impacto_patronus_multi-landing:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.61 cpe:2.3:a:themerex:addons:1.6.61:*:*:*:*:wordpress:*:*
themerex rare_radio < 1.0.1 cpe:2.3:a:themerex:rare_radio:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.60 cpe:2.3:a:themerex:addons:1.6.60:*:*:*:*:wordpress:*:*
themerex piqes-creative_startup_\&_agency_wordpress_theme < 1.0.1 cpe:2.3:a:themerex:piqes-creative_startup_\&_agency_wordpress_theme:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.59.3 cpe:2.3:a:themerex:addons:1.6.59.3:*:*:*:*:wordpress:*:*
themerex kratz-digital_agency < 1.0.2 cpe:2.3:a:themerex:kratz-digital_agency:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.59.2 cpe:2.3:a:themerex:addons:1.6.59.2:*:*:*:*:wordpress:*:*
themerex pixefy < 1.0.1 cpe:2.3:a:themerex:pixefy:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.59.1.1 cpe:2.3:a:themerex:addons:1.6.59.1.1:*:*:*:*:wordpress:*:*
themerex netmix-broadband_\&_telecom < 1.0.2 cpe:2.3:a:themerex:netmix-broadband_\&_telecom:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.59 cpe:2.3:a:themerex:addons:1.6.59:*:*:*:*:wordpress:*:*
themerex kids_care < 3.0.5 cpe:2.3:a:themerex:kids_care:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.58.2 cpe:2.3:a:themerex:addons:1.6.58.2:*:*:*:*:wordpress:*:*
themerex briny-diving_wordpress_theme < 1.2.2000 cpe:2.3:a:themerex:briny-diving_wordpress_theme:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.57.3 cpe:2.3:a:themerex:addons:1.6.57.3:*:*:*:*:wordpress:*:*
themerex tornados < 1.1.2001 cpe:2.3:a:themerex:tornados:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.57.4 cpe:2.3:a:themerex:addons:1.6.57.4:*:*:*:*:wordpress:*:*
themerex gridiron < 1.0.2 cpe:2.3:a:themerex:gridiron:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.57.2 cpe:2.3:a:themerex:addons:1.6.57.2:*:*:*:*:wordpress:*:*
themerex yungen-digital\/marketing_agency < 1.0.1 cpe:2.3:a:themerex:yungen-digital\/marketing_agency:*:*:*:*:*:wordpress:*:*
themerex fc_united-football < 1.0.7 cpe:2.3:a:themerex:fc_united-football:*:*:*:*:*:wordpress:*:*
themerex bugster-pests_control < 1.0.2 cpe:2.3:a:themerex:bugster-pests_control:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.57 cpe:2.3:a:themerex:addons:1.6.57:*:*:*:*:wordpress:*:*
themerex rumble-single_fighter_boxer\,_news\,_gym\,_store < 1.0.4 cpe:2.3:a:themerex:rumble-single_fighter_boxer\,_news\,_gym\,_store:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.56 cpe:2.3:a:themerex:addons:1.6.56:*:*:*:*:wordpress:*:*
themerex tacticool-shooting_range_wordpress_theme < 1.0.1 cpe:2.3:a:themerex:tacticool-shooting_range_wordpress_theme:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.55.4 cpe:2.3:a:themerex:addons:1.6.55.4:*:*:*:*:wordpress:*:*
themerex coinpress-cryptocurrency_magazine_\&_blog_wordpress_theme < 1.0.2 cpe:2.3:a:themerex:coinpress-cryptocurrency_magazine_\&_blog_wordpress_theme:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.55.7 cpe:2.3:a:themerex:addons:1.6.55.7:*:*:*:*:wordpress:*:*
themerex vihara-ashram\,_buddhist < 1.1.2001 cpe:2.3:a:themerex:vihara-ashram\,_buddhist:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.55.3 cpe:2.3:a:themerex:addons:1.6.55.3:*:*:*:*:wordpress:*:*
themerex katelyn-gutenberg_wordpress_blog_theme < 1.0.4 cpe:2.3:a:themerex:katelyn-gutenberg_wordpress_blog_theme:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.55.1 cpe:2.3:a:themerex:addons:1.6.55.1:*:*:*:*:wordpress:*:*
themerex heaven_11-multiskin_property_theme < 1.0.2 cpe:2.3:a:themerex:heaven_11-multiskin_property_theme:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.54 cpe:2.3:a:themerex:addons:1.6.54:*:*:*:*:wordpress:*:*
themerex especio-food_gutenberg_theme < 1.0.1 cpe:2.3:a:themerex:especio-food_gutenberg_theme:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.53.1 cpe:2.3:a:themerex:addons:1.6.53.1:*:*:*:*:wordpress:*:*
themerex partiso_electioncampaign < 1.1.2002 cpe:2.3:a:themerex:partiso_electioncampaign:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.53.3 cpe:2.3:a:themerex:addons:1.6.53.3:*:*:*:*:wordpress:*:*
themerex kargo-freight_transport < 1.1.2004 cpe:2.3:a:themerex:kargo-freight_transport:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.53.2 cpe:2.3:a:themerex:addons:1.6.53.2:*:*:*:*:wordpress:*:*
themerex maxify-startup_blog < 1.0.4 cpe:2.3:a:themerex:maxify-startup_blog:*:*:*:*:*:wordpress:*:*
themerex lingvico-language_learning_school < 1.0.3 cpe:2.3:a:themerex:lingvico-language_learning_school:*:*:*:*:*:wordpress:*:*
themerex aldo-gutenberg_wordpress_blog_theme < 1.0.2 cpe:2.3:a:themerex:aldo-gutenberg_wordpress_blog_theme:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.52.2 cpe:2.3:a:themerex:addons:1.6.52.2:*:*:*:*:wordpress:*:*
themerex vixus-startup_\/_mobile_application < 1.0.4 cpe:2.3:a:themerex:vixus-startup_\/_mobile_application:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.52.1 cpe:2.3:a:themerex:addons:1.6.52.1:*:*:*:*:wordpress:*:*
themerex wellspring_water_filter_systems < 1.0.3 cpe:2.3:a:themerex:wellspring_water_filter_systems:*:*:*:*:*:wordpress:*:*
themerex nazareth-church < 1.0.5 cpe:2.3:a:themerex:nazareth-church:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.53 cpe:2.3:a:themerex:addons:1.6.53:*:*:*:*:wordpress:*:*
themerex tediss-soft_play_area\,_cafe_\&_child_care_center < 1.0.3 cpe:2.3:a:themerex:tediss-soft_play_area\,_cafe_\&_child_care_center:*:*:*:*:*:wordpress:*:*
themerex addons 1.6.51.3 cpe:2.3:a:themerex:addons:1.6.51.3:*:*:*:*:wordpress:*:*
themerex yolox-startup_magazine_\&_blog_wordpress_theme < 1.0.3 cpe:2.3:a:themerex:yolox-startup_magazine_\&_blog_wordpress_theme:*:*:*:*:*:wordpress:*:*
themerex meals_and_wheels-food_truck < 1.0.3 cpe:2.3:a:themerex:meals_and_wheels-food_truck:*:*:*:*:*:wordpress:*:*

References for CVE-2020-10257

cvelogic Threat Intelligence