Researchers have discovered a zero-day vulnerability in WordPress plugin ThemeREX. Exploiting the flaw allows an unauthenticated adversary to execute codes remotely. Unfortunately, the cybercriminals are already exploiting the bug, no patch for the plugin is available at present.
ThemeREX WordPress Plugin Bug Under Exploit
Reportedly, the WordFence team have discovered active exploitation of a zero-day bug in the WordPress plugin ThemeREX. As revealed through their blog post, the plugin boasts thousands of active installations, making all these websites vulnerable to attacks.
Regarding the attack scenario, the researchers elaborated that the flaw exists in the way the plugin registers WordPress REST-API endpoint. While doing so, it does not verify that the request is coming from an admin. Thus, it allows any unauthenticated user to execute any function.
One of the plugin’s functions registers a WordPress REST-API endpoint. When doing so, it does not verify that a request is coming from an administrative user… The endpoint allows any PHP function to be executed, rather than being limited to a select few functions. This means that remote code can be executed by any visitor, even those that are not authenticated to the site
Likewise, exploiting this vulnerability also allows an adversary to create new admin accounts to gain complete control on the site. This is how the attackers are exploiting this flaw in the wild.
Remove The Plugin Until A Patch Is Available
Presently, ThemeREX exhibits around 44,000 active installations. And, the bug affects the recent plugin versions too. It means a large number of websites are vulnerable due to this bug for which, there is no patch available.
Wordfence have advised all ThemeREX users to halt using the plugin until a fix is available.
We urge users to temporarily remove the ThemeREX Addons plugin if you are running a version greater than 1.6.50 until a patch has been released.
For now, in the absence of a patch, the researchers refrained from posting explicit details about the exploitation.
Recently, researchers also reported a vulnerability in ThemeGrill Demo Importer plugin. Exploiting the bug could allow an adversary to entirely wipe the target website’s database.