WordPress security plugin, Wordfence, released security patches for the vulnerable ThemeREX Addons plugin; they previously released a firewall rule for the Wordfence Premium users.
Wordfence published a list of all affected ThemeREX themes and their patched versions, along with the vulnerable versions of the ThemeREX Addons plugin and the corresponding newly patched versions.
ThemeREX Creates commercial themes plugins for WordPress; ThemeREX Addons is a plugin that provides theme enhancing features and widgets and it is approximately installed on 44,000 websites. The vulnerability in the plugin could give attackers a chance of remotely executing codes.
Wordfence released more technical details on the ThemeREX vulnerability
Wordfence first reported the critical vulnerability in the ThemeREX Addons plugin in February; now there are more details available on the vulnerability. The zero-day in the plugin is reported to register a REST-API endpoint to provide compatibility with the Gutenberg plugin; the endpoint did not limit the PHP functions that could be executed. This meant that any user, even the ones that were not authenticated, could execute remote codes. The most concerning issue was that this vulnerability could allow attackers to create a new administrator and this could result in complete site takeover.
Capability checks would block users who do not have administrator access or are not signed in; these capability checks were not conducted on this endpoint meaning that any user could call the endpoint regardless of capability.
“…there was no nonce check to verify the authenticity of the source. Access control and cross-site request forgery (CSRF) protection aside, the core of the problem was within the functionality of the code itself.” According to Wordfence.
They also state that they have blocked over 267,000 exploit attempts during the past 2 weeks. The majority of the blocked attempts seemed to be discovery attempts from attackers trying to find sites running the ThemeREX Addons plugin or discover the workings of the vulnerability.
vulnerabilities in WordPress plugins is not something new
It was previously reported that a vulnerability has existed in the ‘ThemeGrill Demo Importer’ plugin for the past three years that could allow unauthenticated cybercriminals to gain control over numerous websites and blogs and also back in January two WordPress plugins, InfiniteWP Client and WP Time Capsule were reported to contain critical security vulnerabilities that could allow adversaries to access a site’s backend with no password.
Secure Your Organization’s Mind with Securemind.se