March 9

Zero-Day Vulnerability inside ThemeREX Addons Now Patched

WordPress Zero Day

0  comments

This post was originally published on this site

On February 18th, we had been alerted to the vulnerability within ThemeREX Addons, the WordPress plugin installed on approximately 44,000 websites. We took immediate motion release a a firewall principle to safeguard Wordfence Premium customers. As this vulnerability had been actively attacked, we furthermore publicly notified the city of the vulnerability to greatly help protect users from getting compromised.

As an update compared to that notification, we’re pleased to share that ThemeREX provides released updates for several of their styles that included the vulnerable ThemeREX Addons plugin. In nowadays’s blog post we offer the technical information on the vulnerability combined with the steps you will need to consider to make sure your site is running a good updated edition of the plugin.

Description: Remote Program code Execution
Affected Plugin:
ThemeREX Addons
Plugin Slug: trx_addons
Affected Variations: Various.
CVSS Score: 9.8 (Critical)
CVSS Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched Versions: Notice “The Fix” below.

Deeper Evaluation of the Issue

As earlier noted, the ThemeREX Addons plugin was designed as a companion plugin to a number of ThemeREX themes. It offers several theme enhancing functions and widgets to increase functionality of the themes.

The vulnerable code was present within the ~/includes/plugin.rest-api.php document, where there have been a few issues. To be able to supply compatibility with the Gutenberg plugin, the ThemeREX Addons plugin authorized a REST-API endpoint (/trx_addons/v2/get/sc_layout)that could call the trx_addons_rest_get_sc_layout functionality anytime the endpoint has been invoked.

// Register endpoints
if ( !functionality_exists( 'trx_addons_relaxation_register_endpoints' ) ) 
   add_actions( 'rest_api_init', 'trx_addons_rest_sign up_endpoints');
   function trx_addons_sleep_register_endpoints() 
      // Come back layouts for the Gutenberg blocks
      register_rest_path( 'trx_addons/v2', '/obtain/sc_layout', array(
         'methods' => 'GET,Write-up',
         'callback' => 'trx_addons_rest_get_sc_design',
         ));
      


// Return layout
if ( !functionality_exists( 'trx_addons_relaxation_get_sc_design' ) && course_exists( 'WP_REST_Demand' ) ) 
   function trx_addons_sleep_get_sc_design(WP_REST_Request $demand) 

There were no capability checks with this endpoint that could block users which were not really administrators or currently signed in, so any user had the opportunity to call the endpoint irrespective of capability. In add-on, there is no nonce check out to verify the authenticity of the foundation. Access handle and cross-site demand forgery (CSRF) protection apart, the primary of the issue was within the efficiency of the program code itself.

A few outlines later, we start to see the functionality to obtain parameters from widgets, presumably widgets that caused the Gutenberg plugin. That’s where the primary of the remote program code execution vulnerability had been present. There have been no limitations on the PHP features that could be utilized or the parameters which were provided as insight. Instead, we visit a simple if (functionality_exists($sc)) enabling any PHP perform to be called plus executed.

       // Obtain params from widget
      $params = $demand->get_params();
      if (!empty($params['sc'])) 
         $sc = str_substitute('trx_sc_', 'trx_addons_sc_', $params['sc']);
         if (functionality_exists($sc)) 
            $reaction['data'] = $sc($params);
          else 
            $reaction['data'] = '<div course="sc_mistake">' . esc_html(sprintf(__("Unidentified block %s", 'trx_addons'), $params['sc'])) . '</div>';
         
      
   
      return new WP_Relaxation_Response($response);
   

This ultimately allowed for WordPress features like wp_insert_user to end up being executed allowing attackers the opportunity to inject administrative user accounts and dominate sites.

The Fix

In purchase to solve the security problem, ThemeREX opted to totally remove the impacted ~/plugin.rest-api.php document from the plugin great deal of thought was no longer necessary for its functionality, because the Gutenberg plugin has been fully integrated as an ingredient WordPress core.

The following is really a set of all affected ThemeREX themes and their patched versions, combined with the vulnerable versions of the ThemeREX Addons plugin and the corresponding recently patched versions, courtesy of ThemeREX:

Theme Name Patched Theme Version ThemeREX Addons Vulnerable Variations  ThemeREX Addons Patched Edition
Ozeum – Museum 1.0.2 1.70.3 1.70.3.1
Chit Club – Table Games 1.0.1 1.70.3 1.70.3.1
Yottis – Basic Portfolio 1.0.1 1.6.67 1.6.67.1
Helion – Company & Portfolio Theme 1.0.3 1.6.66 1.6.66.1
Amuli 1.0.2 1.6.66 1.6.66.1
Nelson – Barbershop + Tattoo Salon 1.1.2001 1.6.65 1.6.65.1
Hallelujah – Church 1.0.1 1.6.65 1.6.65.1
Right Way 4.0.1 1.6.65 1.6.65.1
Prider – Satisfaction Fest 1.0.2 1.6.65 1.6.65.1
Mystik – Esoterics 1.0.1 1.6.62.3 1.6.62.3.1
Skydiving and Flying Organization 1.0.1 1.6.62.3 1.6.62.4
DroneX – Aerial Digital photography Services 1.1.2001 1.6.62.1 1.6.62.1.1
Samadhi – Buddhist 1.0.1 1.6.61.2 1.6.61.2.1
TanTum – Rent an automobile, Rent a bike, Lease a scooter Multiskin concept 1.0.2 1.6.61.3 1.6.61.3.1
Scientia – General public Library 1.0.1 1.6.61.2 1.6.61.2.1
Blabber 1.5.2009 1.6.61.2 1.6.61.2.1
Impacto Patronus Multi-landing 1.1.2001 1.6.61.1 1.6.61.1.1
Rare Radio 1.0.1 1.6.61 1.6.61.1
Piqes – Innovative Startup & Company WordPress Theme 1.0.1 1.6.60 1.6.60.1
Kratz – Digital Company 1.0.2 1.6.59.3 1.6.59.4
Pixefy 1.0.1 1.6.59.2 1.6.59.3
Netmix – Broadband & Telecom 1.0.2 1.6.59.1.1 1.6.59.1.2
Kids Care 3.0.5 1.6.59 1.6.59.1
Briny – Diving WordPress Theme  1.2.2000 1.6.58.2 1.6.58.3
Tornados 1.1.2001 1.6.57.3 1.6.57.4
Gridiron 1.0.2 1.6.57.4 1.6.57.5
Yungen – Digital/Advertising Agency 1.0.1 1.6.57.2 1.6.57.2.1
FC United – Soccer 1.0.7 1.6.57.3 1.6.57.3.1
Bugster – Pests Handle 1.0.2 1.6.57.2 1.6.57.3
Rumble – Solitary Fighter Boxer, News, Fitness center, Store. 1.0.4 1.6.57 1.6.57.1
Tacticool – Shooting Variety WordPress Theme 1.0.1 1.6.56 1.6.56.1
Coinpress – Cryptocurrency Magazine & Blog site WordPress Theme 1.0.2 1.6.55.4 1.6.55.5
Vihara – Ashram, Buddhist 1.1.2001 1.6.55.7 1.6.55.8
Katelyn – Gutenberg WordPress Blog page Theme 1.0.4 1.6.55.3 1.6.55.5
Heaven 11 – Multiskin Property Theme 1.0.2 1.6.55.1 1.6.55.2
Especio – Meals Gutenberg Theme 1.0.1 1.6.54 1.6.54.1
Partiso_ElectionCampaign 1.1.2002 1.6.53.1 1.6.53.2
Kargo – Freight Transportation 1.1.2004 1.6.53.3 1.6.53.4
Maxify – Startup Blog site 1.0.4 1.6.53.2 1.6.53.3
Lingvico – Vocabulary Learning School 1.0.3 1.6.53.1 1.6.53.3
Aldo – Gutenberg WordPress Blog page Theme 1.0.2 1.6.53.2 1.6.53.3
Vixus – Startup / Cell phone Application 1.0.4 1.6.52.2 1.6.52.3
WellSpring _ Water Filter Techniques 1.0.3 1.6.52.1 1.6.52.3
Nazareth – Church 1.0.5 1.6.52.1 1.6.52.2
Tediss – Soft Have fun with Area, Cafe & Kid Care Center 1.0.3 1.6.53 1.6.53.1
Yolox – Startup Magazine & Blog site WordPress Theme 1.0.3 1.6.51.3 1.6.51.4
Meals and Tires – Food Truck 1.0.3 1.6.51.3 1.6.51.4
Rosalinda – Vegetarian & Health Coach 1.0.3 1.6.51.1 1.6.51.2
Vapester 1.1.2001 1.6.50 1.6.50.1
Contemporary Housewife – Housewife and Family members Blog 1.0.2 1.6.50 1.6.50.1
ChainPress 1.0.3 1.6.50.1 1.6.50.2
Justitia – Multiskin Attorney Theme 1.0.3 1.6.51.1 1.6.51.2
Hobo_Digital Nomad Blog page 1.0.3 1.6.50 1.6.50.1
Rhodos – Creative Business WordPress Theme 1.3.2001 1.6.50.1 1.6.50.2
Buzz Rock – Magazine & Blog site 1.0.3 1.6.50 1.6.50.1
Corredo_Sport Event 1.1.2003 1.0.49.10 1.6.49.10
SaveJulia Personal Fundraising Strategy 1.0.3 1.6.49.8 1.6.49.9
BonkoZoo_Zoo 1.0.3 1.6.49.6 1.6.49.7
Renewal – COSMETIC SURGEON Clinic 1.0.3 1.6.49.6.2 1.6.49.6.3
Gloss_blog 1.0.1 1.6.49.5 1.6.49.6
Plumbing – Repair, Developing & Construction WordPress Concept 3.0.1 1.6.58.2 1.6.58.2.1
Topper Style and Skins Various 1.6.61.2 1.6.61.3

How to Up-date to the Latest Edition of ThemeREX Addons

It is important to notice that you might not end up being notified that there surely is a new edition available for update inside the WordPress dashboard like the majority of some other plugins. If the plugin web page doesn’t enable you to up-date, please follow this manual.

  1. Update the ThemeREX style you possess installed on your own site. You are able to do this through the Dashboard > Updates or Look > Themes parts of your WordPress administrative region, when you have the ThemeREX Updater plugin set up. If you don’t possess the ThemeREX Updater plugin set up, you will have to download probably the most up-to-date edition of the concept and execute a manual update.
  2. Once you possess updated your ThemeREX style, you will have to deactivate and uninstall the vulnerable edition of the ThemeREX Addons plugin.
  3. You’ll end up being prompted to set up the ThemeREX Addons plugin. Adhere to the prompts to re-install the patched edition of ThemeREX Addons. The prompt should appear to be this:

    Prompt to set up ThemeREX Addons.

  4. Once you have got re-installed the plugin you ought to have a patched edition. Please check your concept above and evaluate the fixed edition to the version that’s right now installed on your web site from the plugins web page:

    A Patched Edition of ThemeREX Addons.

If you want to verify your site is not any longer working the vulnerable program code, please navigate to your hosting accounts file supervisor, or connect via FTP/SFTP/SSH, and demand ~/wp-content material/plugins/trx_addons/consists of/ folder. If the document /plugin.rest-api.php isn’t current then you can sleep assured that you will be not jogging the vulnerable program code on your own site.

If you carry out see this file nevertheless, we recommend calling the ThemeREX group directly through their assistance forum as there might have been an issue together with your update.

Insight on Assaults

We have blocked more than 267,000 exploit efforts during the past 14 days since we were initially alerted to the vulnerability’s existence. The good thing, however, is that almost all the attempts we’ve blocked show up to have already been discovery tries from attackers unsuccessfully looking for sites operating the ThemeREX Addons plugin or attackers just attempting to uncover the workings of the vulnerability. Unsuccessful exploit efforts have appeared as if this:

example.com/wp-json/trx_addons/v2/get/sc_design?sc=sdw1dd1

Effective exploit attempts have appeared as if this and cause the creation of a fresh administrative levels user account about a vulnerable site:

example.com/wp-json/trx_addons/v2/get/sc_design?sc=wp_insert_user&role=administrator&consumer_login=TEST&user_pass=TEST

We ensured our disclosure in February 18th included minimal details to avoid attackers from exploiting this vulnerability while nevertheless alerting customers to a crucial issue requiring their instant attention.

Right now that patches have already been released, we feel safe in disclosing the facts of the vulnerability. However, much like most complete disclosures we be prepared to see a rise in effective exploit tries, therefore we urge customers to upgrade to the most recent version available as quickly as possible.

PoC Walkthrough

Disclosure Timeline

February 18th, 2020 – Wordfence notified of energetic exploitation of vulnerability. Wordfence releases a firewall guideline immediately to Wordfence High quality customers and notifies the ThemeREX plugin group. We publish a article to inform users that they have to take away the plugin until a patch will be released.
February 19th, 2020 – Irvin McDowell at ThemeREX responds and acknowledges the protection issues and confirms they're working on a repair.
February 20th, 2020 – Notification that styles on ThemeForest have already been updated to add patched copies of ThemeREX Addons.
March 9th, 2020 –
Last ThemeREX style updated to add a patched duplicate of ThemeREX Addons
March 9th, 2020 – Total disclosure provided.
March 19th, 2020 – Wordfence free of charge users receive firewall principle.

Conclusion

Inside today’s article, we provided the complex information on the vulnerability within the ThemeREX Addons plugin. This flaw has already been patched in every ThemeREX themes which were running vulnerable variations of the plugin and we advise that users revise to the most recent version available immediately. Websites running Wordfence Premium have already been protected from assaults from this vulnerability since February 18th. Websites running the free edition of Wordfence will have the firewall guideline update on March 19th, 2020.

Special because of Irvin McDowell, the CIO of ThemeREX, for dealing with all of us and providing details as required and to the complete group at ThemeREX for operating quickly to obtain this resolved. Also, many thanks to Ramuel Gall, Sean Murphy and Matt Rusnak from the Wordfence group for assistance examining the vulnerability and for rapidly releasing a firewall principle to Wordfence customers. And again, many thanks to Tobias Westphal and Arne Breitsprecher for reporting this vulnerability to Wordfence.

The post Zero-Day Vulnerability in ThemeREX Addons Now Patched appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!