February 18

Zero-Day Vulnerability inside ThemeREX Addons Plugin Exploited in the open

WordPress Vulnerabilities


This post was originally published on this site

Today, February 18th, our Threat Cleverness team had been notified of the vulnerability within ThemeREX Addons, the WordPress plugin installed on around 44,000 websites. This flaw enables attackers to remotely execute program code on a niche site with the plugin set up, including the capability to execute code that may inject administrative consumer accounts.

At enough time of writing, this vulnerability has been actively exploited, as a result we urge users to temporarily take away the ThemeREX Addons plugin in case you are working a version higher than 1.6.50 until the patch has been released.

Wordfence Premium clients received a fresh firewall rule these days, February 18th, 2020, from 3:16PM UTC to safeguard against exploits targeting this vulnerability. Free Wordfence customers will have the rule after four weeks on March 19th, 2020.

REST-API Endpoint Unprotected and Improperly Configured

ThemeREX Addons is really a plugin installed as a companion to numerous ThemeREX themes and several theme management features. Among the plugin’s features registers a WordPress REST-API endpoint. When doing this, it generally does not verify a request is via an administrative consumer.

While this is simply not cause for concern alone, the endpoint allows any PHP perform to be executed, instead of being limited by a select few features. Which means that remote program code could be executed by any website visitor, even those that aren’t authenticated to the website. Probably the most worrisome capability that people are viewing actively attacked may be the ability to develop a brand new administrative user, which may be used for complete web site takeover.

Indicators of Compromise

We currently have hardly any data on who’s exploiting this vulnerability and what artifacts are increasingly being left out, however, we can say for certain that assaults are targeting administrative consumer account creation. In case you are operating the ThemeREX Addons plugin on your own site and you locate a brand new suspicious administrative accounts, it is extremely likely that your web site was compromised because of this vulnerability. We shall provide more info as information emerge.


We possess intentionally provided minimal information in this post so that they can keep exploitation to a smallest amount while furthermore informing WordPress online marketers of the active campaign. We shall release a follow-up write-up with further details after the programmer patches this vulnerability.

For enough time being, we urge that online marketers working the ThemeREX Addons plugin take it off from their sites immediately. Sites running Wordfence Premium have already been protected from episodes from this vulnerability since February 18th, 2020. Websites running the free edition of Wordfence will have the firewall principle update on March 19th, 2020.

The post Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

How exactly to Fix “ARE YOU CURRENTLY Sure You should do This?” Error within WordPress site

WordPress 5.4.2 Patches Several XSS Vulnerabilities

How to Prevent IP Addresses TO SAFEGUARD Your WordPress Site

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!