CVE-2020-10257: 
WordPress vulnerability analysis and mitigation

The ThemeREX Addons plugin for WordPress was found to contain a critical security vulnerability (CVE-2020-10257) before the March 9, 2020 update. The vulnerability stemmed from a lack of access control on the /trx_addons/v2/get/sc_layout REST API endpoint, which affected multiple versions of the plugin. This security flaw was discovered and publicly disclosed on February 18, 2020 (WPScan).

The vulnerability exists in the includes/plugin.rest-api.php file where the trx_addons_rest_get_sc_layout function processes an unsafe 'sc' parameter through the REST API endpoint. The severity of this vulnerability is rated as Critical with a CVSS score of 9.8. The flaw is classified as an Injection vulnerability (OWASP Top 10 A1) and is categorized under CWE-94 (WPScan).

This vulnerability allows attackers to remotely execute code on sites with the affected plugin installed. The impact is severe as it enables malicious actors to execute arbitrary PHP functions, including the ability to inject administrative user accounts into the WordPress installation (WPScan).

Multiple versions of the plugin have been patched to address this vulnerability, including versions 1.70.3.1, 1.6.61.1.1, 1.6.59.1.2, and several others. Users are strongly advised to update to the latest patched version of the plugin that corresponds to their installation (WPScan, Wordfence Blog).