Affected Plugin: ThemeREX Addons
Plugin Slug: trx_addons
Affected Variations: Versions higher than 1.6.50
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched Version: Currently Simply no Patch.
Today, February 18th, our Threat Cleverness team had been notified of the vulnerability within ThemeREX Addons, the WordPress plugin installed on around 44,000 websites. This flaw enables attackers to remotely execute program code on a niche site with the plugin set up, including the capability to execute code that may inject administrative consumer accounts.
At enough time of writing, this vulnerability has been actively exploited, as a result we urge users to temporarily take away the ThemeREX Addons plugin in case you are working a version higher than 1.6.50 until the patch has been released.
Wordfence Premium clients received a fresh firewall rule these days, February 18th, 2020, from 3:16PM UTC to safeguard against exploits targeting this vulnerability. Free Wordfence customers will have the rule after four weeks on March 19th, 2020.
REST-API Endpoint Unprotected and Improperly Configured
ThemeREX Addons is really a plugin installed as a companion to numerous ThemeREX themes and several theme management features. Among the plugin’s features registers a WordPress REST-API endpoint. When doing this, it generally does not verify a request is via an administrative consumer.
While this is simply not cause for concern alone, the endpoint allows any PHP perform to be executed, instead of being limited by a select few features. Which means that remote program code could be executed by any website visitor, even those that aren’t authenticated to the website. Probably the most worrisome capability that people are viewing actively attacked may be the ability to develop a brand new administrative user, which may be used for complete web site takeover.
Indicators of Compromise
We currently have hardly any data on who’s exploiting this vulnerability and what artifacts are increasingly being left out, however, we can say for certain that assaults are targeting administrative consumer account creation. In case you are operating the ThemeREX Addons plugin on your own site and you locate a brand new suspicious administrative accounts, it is extremely likely that your web site was compromised because of this vulnerability. We shall provide more info as information emerge.
We possess intentionally provided minimal information in this post so that they can keep exploitation to a smallest amount while furthermore informing WordPress online marketers of the active campaign. We shall release a follow-up write-up with further details after the programmer patches this vulnerability.
For enough time being, we urge that online marketers working the ThemeREX Addons plugin take it off from their sites immediately. Sites running Wordfence Premium have already been protected from episodes from this vulnerability since February 18th, 2020. Websites running the free edition of Wordfence will have the firewall principle update on March 19th, 2020.
The post Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild appeared first on Wordfence.