It's tough when you get a buried error, we all know this. We have a Wordpress site, running against IIS and utilizing PHP via FastCGI. During one of the WP theme's update operations for the "widgets" section, I kept getting a 500 error. In my case, I needed to go to the server itself to get more details, as I don't show possible site-revealing information like pathing, etc. to any remote servers.
Going to the server (RDP) and testing didn't reveal much additional information. I created a "Failed Request Trace". The best error I could find was the 0x8007010b and "The directory name is invalid." The truth is, whatever this error is...? It had nothing to do with the real problem.
This was the request in the Chrome "Network" tab:
Looking at the outgoing Headers for this request shows:
In this section, look for the PHP FastCGI entries:
In my case, I only edited the last one, assuming I was on the "most recent" setup. Double click on it to see this screen, and then click on "Request Filtering":
If you do NOT see OPTIONS in this list then add it. You may not have even known that this restriction was in place. You can also select "All Verbs", however, it's usually best to just add what you need when it comes to security restrictions such as these. I added the ,OPTIONS value in, saved all the dialog windows to close them and my request immediately began to function as expected within the Wordpress editor.