Over 100,000 WordPress websites could be exposed to attacks targeting a couple of recently addressed vulnerabilities affecting Thrive Theme plugins, warns the Wordfence Threat Intelligence Team at WordPress security company Defiant.
The Thrive Themes represent a collection of themes and plugins that provide WordPress administrators with the means to quickly customize their websites.
Two vulnerabilities that the Thrive Themes team addressed earlier this month are currently being targeted in live attacks to upload arbitrary files to vulnerable websites, and provide attackers with backdoor control to them.
The most important of the bugs is a critical (CVSS score of 10) unauthenticated arbitrary file upload and option deletion vulnerability that affects all Thrive Theme’s Legacy Themes. The flaw exists because the Legacy Themes include an insecurely implemented function to automatically compress images during uploads.
The second bug is considered medium severity (CVSS score of 5.8) and is an unauthenticated option update issue. The flaw is rooted in the insecure implementation of the ability to integrate with Zapier, which is available in the Thrive Dashboard.
A REST API endpoint that is associated with Zapier functionality is registered and the endpoint could be accessed by supplying an empty api_key parameter, provided that Zapier was not enabled. This would allow attackers to add arbitrary data to a predefined option.
The two security holes can be chained together to deploy malicious code onto a vulnerable website, through a REST API endpoint that Thrive Legacy Themes register to compress images. The vulnerabilities can be abused to deliver executable PHP files, Wordfence says.
The security researchers say that attackers are already exploiting the two flaws in live attacks, and that more than 100,000 WordPress sites that rely on Thrive Theme products may be exposed to compromise.
As part of the observed attacks, adversaries upload a malicious PHP file to the vulnerable websites, with the chain exploit providing attackers with backdoor access to WordPress installations.
“Our security analysts have been able to forensically verify this intrusion vector on an individual site. In addition, we have found the payload added by this attack on over 1900 sites, all of which appear to have vulnerable REST API endpoints,” Wordfence says.
Vulnerable products include Legacy Themes (Rise, Ignition, and others, prior to version 2.0.0), Thrive Optimize (up to version 18.104.22.168), Thrive Comments (prior to 22.214.171.124), Thrive Headline Optimizer (versions up to 126.96.36.199), Thrive Themes Builder (versions before 2.2.4), Thrive Leads, Thrive Ultimatum, Thrive Quiz Builder, and Thrive Apprentice prior to version 188.8.131.52, Thrive Architect (before 184.108.40.206), and Thrive Dashboard (versions up to 220.127.116.11).
“For the time being, we urge that site owners running any of the Thrive Themes “legacy” themes to update to version 2.0.0 immediately, and any site owners running any of the Thrive plugins to update to the latest version available for each of the respective plugins,” the researchers conclude.