Zero-Day Bug In ThemeREX WordPress Plugin Exploited In The Wild

  •  
  •  
  •  
  • 1
  •  
  •  
  •  
    1
    Share

Researchers have discovered a zero-day vulnerability in WordPress plugin ThemeREX. Exploiting the flaw allows an unauthenticated adversary to execute codes remotely. Unfortunately, the cybercriminals are already exploiting the bug, no patch for the plugin is available at present.

ThemeREX WordPress Plugin Bug Under Exploit

Reportedly, the WordFence team have discovered active exploitation of a zero-day bug in the WordPress plugin ThemeREX. As revealed through their blog post, the plugin boasts thousands of active installations, making all these websites vulnerable to attacks.

Regarding the attack scenario, the researchers elaborated that the flaw exists in the way the plugin registers WordPress REST-API endpoint. While doing so, it does not verify that the request is coming from an admin. Thus, it allows any unauthenticated user to execute any function.

One of the plugin’s functions registers a WordPress REST-API endpoint. When doing so, it does not verify that a request is coming from an administrative user… The endpoint allows any PHP function to be executed, rather than being limited to a select few functions. This means that remote code can be executed by any visitor, even those that are not authenticated to the site

Likewise, exploiting this vulnerability also allows an adversary to create new admin accounts to gain complete control on the site. This is how the attackers are exploiting this flaw in the wild.

Remove The Plugin Until A Patch Is Available

Presently, ThemeREX exhibits around 44,000 active installations. And, the bug affects the recent plugin versions too. It means a large number of websites are vulnerable due to this bug for which, there is no patch available.

Wordfence have advised all ThemeREX users to halt using the plugin until a fix is available.

We urge users to temporarily remove the ThemeREX Addons plugin if you are running a version greater than 1.6.50 until a patch has been released.

For now, in the absence of a patch, the researchers refrained from posting explicit details about the exploitation.

Recently, researchers also reported a vulnerability in ThemeGrill Demo Importer plugin. Exploiting the bug could allow an adversary to entirely wipe the target website’s database.

The following two tabs change content below.

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!