Two recently patched vulnerabilities in a popular suite of tools for WordPress websites. From marketing platform Thrive Themes are being actively exploited by attackers.
Thrive Themes sells a number of products designed to help WordPress sites “convert visitors into leads and customers”. Its Thrive Suite product line includes Legacy Themes, which are tools for changing the layout. And design of WordPress websites as well as various plugins. Thrive Architect, which helps site owners create website landing pages, and Thrive Comments, which helps them implement engaging comment sections, are two of the plugins that offer various website development and visual functionalities.
On March 12, two vulnerabilities in these Legacy Themes and plugins were discovered, and patches were released. The flaws could be linked together to allow unauthenticated attackers to upload arbitrary files to vulnerable WordPress sites, potentially compromising the site.
Despite the patches, researchers are seeing a surge in exploit attempts, and they warn that more than 100,000 WordPress sites using Thrive Themes products could still be vulnerable.
“We are seeing these vulnerabilities being actively exploited in the wild, and we urge users to update to the latest versions available immediately since they contain a patch for these vulnerabilities,” according to Chloe Chamberland, threat analyst with Wordfence on Wednesday.
Below are a list of affected versions of Thrive Themes Legacy Themes and plugins, according to Wordfence:
- All Legacy Themes, including Rise, Ignition, and others | Version < 2.0.0
- Thrive Optimize | Version < 22.214.171.124
- Comments | Version < 126.96.36.199
- Thrive Headline Optimizer | Version < 188.8.131.52
- Themes Builder | Version < 2.2.4
- Thrive Leads Version | < 184.108.40.206
- Ultimatum Version | < 220.127.116.11
- Thrive Quiz Builder Version | < 18.104.22.168
- Apprentice | Version < 22.214.171.124
- Thrive Architect | Version < 126.96.36.199
- Dashboard | Version < 188.8.131.52
The more serious of the two flaws has a CVSS score of 10 and is found in Thrive Themes Legacy Themes. These themes have the ability to automatically compress images during uploads, but Chamberland claims that this feature is insecurely implement.
“Thrive ‘Legacy’ Themes register a REST API endpoint to compress images using the Kraken image optimization engine,” said Chamberland. “By supplying a crafted request in combination with data inserted using the Option Update vulnerability. It was possible to use this endpoint to retrieve malicious code from a remote URL and overwrite an existing file on the site with it or create a new file. This includes executable PHP files that contain malicious code.”
Thrive Themes plugins have another, less serious vulnerability. This error caused by a poorly implement feature in the Thrive Dashboard that allows integration with the online automation tool Zapier. Thrive Themes products register a REST API endpoint associated with Zapier functionality. In order to make this integration happen.
“While this endpoint intended to require an API key in order to access. It was possible to access it by supplying an empty api_key parameter in vulnerable versions if Zapier not enabled,” according to Chamberland. “Attackers could use this endpoint to add arbitrary data to a predefined option in the wp_options table.”
Of note, a CVE ID for both of these vulnerabilities is pending, according to Wordfence.
The Exploit Chain
Chamberland said that attackers can chain these two vulnerabilities together in order to access affected websites. Though Chamberland noted, researchers are intentionally providing minimal details about the exploit chain “in an attempt to keep exploitation to a minimum while also informing WordPress site owners using affected Thrive Theme products of this active campaign.”
At a high level, attackers are updating a database option using the medium-severity “Unauthenticated Option Update” vulnerability. The critical-severity “Unauthenticated Arbitrary File Upload” vulnerability can then be exploit to upload a malicious PHP file.
“The combination of these two vulnerabilities is allowing attackers to gain backdoor access into vulnerable sites to further compromise them,” said Chamberland.
Attacker Exploits Continue
Researchers were able to “verify this intrusion vector” on a single website. After which they discovered the payload added by this attack on over 1,900 websites. All of which appear to have vulnerable REST API endpoints.
Attackers are adding a signup.php file to the home directory of targeted sites. Which is then use to further infect sites with spam, according to Chamberland.
“This number is continuing to rise indicating that the attackers are continuing to successfully exploit the vulnerabilities and compromise sites,” Chamberland told. “Right now, we don’t have an idea how who specifically per se is behind the attacks. However, most of the attack data we are seeing is primarily coming from an attacker with the IP address of 184.108.40.206.”
Users of Thrive Themes should update them as soon as possible, according to Chamberland.
“For the time being, we urge that site owners running any of the Thrive Themes ‘legacy’ themes to update to version 2.0.0 immediately. And any site owners running any of the Thrive plugins to update to the latest version available for each of the respective plugins,” she stressed.
You may also like: