WordPress Plugin Vulnerabilities
ThemeREX Addons - Remote Code Execution
Description
"This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts."
Note (WPScanTeam): There are major version inconsistencies in the trx_addons shipped with the affected themes. As a result, a common the fixed in version can not be set so far and we would recommend to see the posts from ThemeRex and Wordfence in the references below for the versions.
Proof of Concept
Affects Plugins
Fixed in 1.70.3.1
Fixed in 1.6.61.1.1
Fixed in 1.6.59.1.2
Fixed in 1.6.49.6.3
Fixed in 1.6.61.2.1
Fixed in 1.6.59.4
Fixed in 1.6.58.3
Fixed in 1.6.49.9
Fixed in 1.6.67.1
Fixed in 1.6.66.1
Fixed in 1.6.65.1
Fixed in 1.6.60.1
Fixed in 1.6.57.4
Fixed in 1.6.56.1
Fixed in 1.6.55.8
Fixed in 1.6.54.1
Fixed in 1.6.53.4
Fixed in 1.6.52.3
Fixed in 1.6.51.4
Fixed in 1.6.50.2 References
Classification
Type
RCE
OWASP top 10
CWE
CVSS
Miscellaneous
Submitter
Wordfence
Submitter website
Submitter twitter
Verified
No
WPVDB ID
Timeline
Publicly Published
2020-02-18 (about 5 years ago)
Added
2020-02-18 (about 5 years ago)
Last Updated
2024-09-27 (about 1 year ago)
WPScan 