Connect with us

Hi, what are you looking for?



Hackers Start Exploiting Recent Vulnerabilities in Thrive Theme WordPress Plugins

Over 100,000 WordPress websites could be exposed to attacks targeting a couple of recently addressed vulnerabilities affecting Thrive Theme plugins, warns the Wordfence Threat Intelligence Team at WordPress security company Defiant.

Over 100,000 WordPress websites could be exposed to attacks targeting a couple of recently addressed vulnerabilities affecting Thrive Theme plugins, warns the Wordfence Threat Intelligence Team at WordPress security company Defiant.

The Thrive Themes represent a collection of themes and plugins that provide WordPress administrators with the means to quickly customize their websites.

Two vulnerabilities that the Thrive Themes team addressed earlier this month are currently being targeted in live attacks to upload arbitrary files to vulnerable websites, and provide attackers with backdoor control to them.

The most important of the bugs is a critical (CVSS score of 10) unauthenticated arbitrary file upload and option deletion vulnerability that affects all Thrive Theme’s Legacy Themes. The flaw exists because the Legacy Themes include an insecurely implemented function to automatically compress images during uploads.

The second bug is considered medium severity (CVSS score of 5.8) and is an unauthenticated option update issue. The flaw is rooted in the insecure implementation of the ability to integrate with Zapier, which is available in the Thrive Dashboard.

A REST API endpoint that is associated with Zapier functionality is registered and the endpoint could be accessed by supplying an empty api_key parameter, provided that Zapier was not enabled. This would allow attackers to add arbitrary data to a predefined option.

The two security holes can be chained together to deploy malicious code onto a vulnerable website, through a REST API endpoint that Thrive Legacy Themes register to compress images. The vulnerabilities can be abused to deliver executable PHP files, Wordfence says.

The security researchers say that attackers are already exploiting the two flaws in live attacks, and that more than 100,000 WordPress sites that rely on Thrive Theme products may be exposed to compromise.

Advertisement. Scroll to continue reading.

As part of the observed attacks, adversaries upload a malicious PHP file to the vulnerable websites, with the chain exploit providing attackers with backdoor access to WordPress installations.

“Our security analysts have been able to forensically verify this intrusion vector on an individual site. In addition, we have found the payload added by this attack on over 1900 sites, all of which appear to have vulnerable REST API endpoints,” Wordfence says.

Vulnerable products include Legacy Themes (Rise, Ignition, and others, prior to version 2.0.0), Thrive Optimize (up to version, Thrive Comments (prior to, Thrive Headline Optimizer (versions up to, Thrive Themes Builder (versions before 2.2.4), Thrive Leads, Thrive Ultimatum, Thrive Quiz Builder, and Thrive Apprentice prior to version, Thrive Architect (before, and Thrive Dashboard (versions up to

“For the time being, we urge that site owners running any of the Thrive Themes “legacy” themes to update to version 2.0.0 immediately, and any site owners running any of the Thrive plugins to update to the latest version available for each of the respective plugins,” the researchers conclude.

Related: Vulnerabilities in NextGEN Gallery Plugin Exposed Many WordPress Sites to Takeover

Related: Many WordPress Sites Affected by Vulnerabilities in ‘Popup Builder’ Plugin

Related: WordPress ‘File Manager’ Plugin Patches Critical Zero-Day Exploited in Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...