Hackers exploit a zero-day vulnerability in a WordPress plugin

A flaw in the ThemeREX Addons allow hackers to create admin accounts and take over vulnerable websites

A flaw in WordPress plugin exposed at least 44,000 websites to attackers. According to the Wordfence security firm that manages the WordPress platform's firewall, the plugin installed on at least 44,000 websites has a bug that was already exploited by hackers.^[1] Attacks started on February 18th and this zero-day flaw allowed attackers to create user accounts on the platform with administrative permissions, so vulnerable websites can be fully controlled by malicious actors.^[2]

The ThemeRex^[3] company provides more than 400 commercial WordPress themes and templates for sale. Those add-ons and plugins help customers to configure and manage themes easier. The vulnerability that was spotted in WordPress REST-API endpoint registered by the plugin, allows PHP functions to get executed without checking requests or permissions from admin users.

The research from Wordfence explained that attackers could remotely execute codes on sites with the particular plugin installed and inject administrative user accounts. As Chloe Chamberland, threat analyst at Wordfence stated:

At the time of writing, this vulnerability is being actively exploited, therefore we urge users to temporarily remove the ThemeREX Addons plugin if you are running a version greater than 1.6.50 until a patch has been released.

The remote code execution without authentication

Attacks exploiting this flaw started on Tuesday, and the Wordfence, web application firewall company, detected this activity. Experts noted that due to the vulnerability, remote malicious code can be executed by any visitor without requiring authentication to the site.

This feature is one of the most dangerous besides the fact that actors can create new user accounts and give them administrative permissions. When this is done, any attacker can take over the vulnerable website. Researchers suggest site owners and admins disable the plugin or remove it temporarily until the correct patch gets released to tackle the vulnerability.

The bug has not been patched yet by the developer, so Chamberland notes people to take actions immediately:

We have intentionally provided minimal details in this post in an attempt to keep exploitation to a bare minimum while also informing WordPress site owners of this active campaign.

News about severe flaw followed by another WordPress plugin bug report

Bug in another commercial theme plugin by ThemeGrill had a bug that supposedly affected more than 200,000 sites.^[4] The older versions of the TemeGrill Demo Importer can be exploited for remote attacks from unauthenticated hackers. These attacks can lead to particular payload drops on vulnerable websites that tan trigger malicious functions inside the plugin. Functions can reset the content on the site to zero, wiping all the data on vulnerable websites.

This bug also allowed attackers to obtain administrative permissions and control anything on the website. ThemeGrill said that flaw impacted Demo Importer plugin between versions 1.3.4 and 1.6.1 and patched the bug with the version 1.6.2 over this past weekend.

These attacks are called zero-day because attack occurs immediately after the patch gets released. ThemeGrill users can update the flawed plugin already.^[5] Nevertheless, ThemeREX attacks exploit the unpatched bug, so there are no updates available for now.

However, the active installations of ThemeGrill dropped to 100,000 from the 200,000 users. This shows that the flaw encouraged people to remove the plugin from their sites instead of updating the application after that patch release. Such security issues raise users' suspicions every time.