A zero-day vulnerability in the ThemeREX Addons, a WordPress plugin installed on thousands of sites, is actively exploited by attackers to create user accounts with admin permissions and potentially fully taking over the vulnerable website.
Based on the estimations of WordPress site security firm Wordfence, the company that reported the ongoing attacks targeting the ThemeREX Addons zero-day bug, the plugin is currently installed on at least 44,000 websites.
ThemeRex, the company behind this WordPress plugin, has over 466 commercial WordPress themes and templates for sale in their shop which will also install the ThemeREX Addons plugin to help customers configure and manage them easier.
"Over 30,000 customers use our Premium WordPress themes to power their websites including some of the world's top brands and businesses," the company says on its website.
The bug is present in a WordPress REST-API endpoint registered by the plugin which allows any PHP function to be executed without first checking if requests are received from a user with administrative permissions.
Remote code execution and admin account creation
"This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts," Wordfence threat analyst Chloe Chamberland explains.
"At the time of writing, this vulnerability is being actively exploited, therefore we urge users to temporarily remove the ThemeREX Addons plugin if you are running a version greater than 1.6.50 until a patch has been released."
Since ongoing attacks are already exploiting it in the wild according to WordFence, site owners and admins are advised to disable the plugin or remove it temporarily until a patch correcting the bug is released.
"We have intentionally provided minimal details in this post in an attempt to keep exploitation to a bare minimum while also informing WordPress site owners of this active campaign," Chamberland said.
"For the time being, we urge that site owners running the ThemeREX Addons plugin remove it from their sites immediately."
The ThemeREX Addons plugin vulnerability has not yet been patched by the developer and no news of this zero-day could be found on the company's support site.
BleepingComputer reached out to ThemeREX for comment but had not heard back at the time of this publication.
More critical flaws in WordPress plugins
Another severe vulnerability found in versions 1.3.4 up to 1.6.1 of the ThemeGrill Demo Importer plugin for WordPress installed on more than 200,000 websites is actively exploited by attackers.
In this case, since the developers released a new version with a fix, the active installation dropped to 100,000 sites which shows that it's being removed from sites rather than being updated as a defense measure against ongoing attacks.
Critical bugs were also found in the WordPress GDPR Cookie Consent plugin used by more than 700,000 websites, allowing attackers to remove and change content, as well as inject malicious JavaScript code because of improper access controls.
The flaw affects version 1.8.2 and earlier and WebToffee the plugin's developer, patched it with the release of version 1.8.3 on February 10.
During mid-January, another two bugs allowing hackers to wipe or takeover websites were reported for WordPress Database Reset, a plugin with 80,000+ installations designed to provide site admins with a simple way to reset databases to default.
Since WordPress Database Reset 3.15, the version containing a fix for the bugs was released by the developer, only 25% of all users have patched their installations, the rest of them are still running older and potentially vulnerable versions.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now