Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild

Description: Remote Code Execution
Affected Plugin: ThemeREX Addons
Plugin Slug: trx_addons
Affected Versions: Versions greater than 1.6.50
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched Version: Currently No Patch.

Today, February 18th, our Threat Intelligence team was notified of a vulnerability present in ThemeREX Addons, a WordPress plugin installed on an estimated 44,000 sites. This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts.

At the time of writing, this vulnerability is being actively exploited, therefore we urge users to temporarily remove the ThemeREX Addons plugin if you are running a version greater than 1.6.50 until a patch has been released.

Wordfence Premium customers received a new firewall rule today, February 18th, 2020, at 3:16PM UTC to protect against exploits targeting this vulnerability. Free Wordfence users will receive the rule after thirty days on March 19th, 2020.

REST-API Endpoint Unprotected and Improperly Configured

ThemeREX Addons is a plugin installed as a companion to many ThemeREX themes and provides a number of theme management features. One of the plugin’s functions registers a WordPress REST-API endpoint. When doing so, it does not verify that a request is coming from an administrative user.

While this is not cause for concern on its own, the endpoint allows any PHP function to be executed, rather than being limited to a select few functions. This means that remote code can be executed by any visitor, even those that are not authenticated to the site. The most worrisome capability that we are seeing actively attacked is the ability to create a new administrative user, which can be used for complete site takeover.

Indicators of Compromise

We currently have very little data on who is exploiting this vulnerability and what artifacts are being left behind, however, we do know that attacks are targeting administrative user account creation. If you are running the ThemeREX Addons plugin on your site and you discover a new suspicious administrative account, it is very likely that your site was compromised as a result of this vulnerability. We will provide more information as details emerge.

Conclusion

We have intentionally provided minimal details in this post in an attempt to keep exploitation to a bare minimum while also informing WordPress site owners of this active campaign. We will release a follow-up post with further details once the developer patches this vulnerability.

For the time being, we urge that site owners running the ThemeREX Addons plugin remove it from their sites immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since February 18th, 2020. Sites running the free version of Wordfence will receive the firewall rule update on March 19th, 2020.

Special thanks to Tobias Westphal and Arne Breitsprecher for reporting this vulnerability to Wordfence.

Did you enjoy this post? Share it!

Comments

16 Comments
  • Any chance you can tell us what directory this plugin gets installed into ? I ask because I don't use/pay for the plugin but am concerned that customers on servers I manage might be using it. So I like to proactively go and search for websites that have it installed so that I can notify the customer. And in order for me to search for it, I need to know the name of the directory that is created under /wp-content/plugins when this plugin is installed.

    • Hi Doug,

      The plugin slug is trx_addons and that is the name of the directory that is created upon plugin install. Thanks for bringing this to our attention, I have added it to the top of the post.

    • @Doug, you might like to look into installing/using WP-CLI on the servers you manage. You can use it from the command line to eg list plugins installed on multiple WP sites.
      I find it essential for managing multiple WP sites on multiple servers.

  • I noticed this behavior on a website using a theme made by themesflat rather than themerex, over 4,000 admin accounts created that were generating spam in the server but I also noticed the option that anyone can register was checked in wordpress with admin as the default profile for new users. I cannot atest if this was a mistake by the freelancer that worked on the website or something similar as to what is described in this post to inject this options to be checked and later exploited automatically by bots to create all the admin accounts.

  • Thank you for sharing this important information. Where can we see a changelog of this plugin? I have seen some websites that have the 1.6.29 version. Are they totally safe from this vulnerability? Thanks.

    • Hi Luis,

      Unfortunately, there are no publicly available changelogs for this plugin. We are still waiting to hear back from the ThemeREX team on official word on what versions are vulnerable. In the meantime, you can check to see if you have a vulnerable version by checking for the plugin.rest-api.php file in the /wp-content/plugins/includes folder. If that file is present you are running a vulnerable version and you should remove it along with the following line of code `require_once TRX_ADDONS_PLUGIN_DIR_INCLUDES . ‘plugin.rest-api.php’;` from the file /trx_addions.php located in the /wp-content/plugins/trx_addons/ folder. If you are running Wordfence Premium any exploit attempts against this vulnerability will be blocked.

  • Hi.
    Just to confirm, are you sure about the version? Because this plugin comes with my theme, and I have the latest theme, but the plugin version it says it is only 1.4.6.5. Am I safe? Is there any line of code I can search for to verify that I am safe? I cannot deactivate the plugin, because the whole site is based on its shortcodes.
    Thanks.
    Regards.

    • Hi Nikolay,

      We are still waiting to hear back from the ThemeREX team on official word on what versions are vulnerable in different themes. In the meantime, you can check to see if you have a vulnerable version by checking for the plugin.rest-api.php file in the /wp-content/plugins/includes folder. If that file is present you are running a vulnerable version and you should remove it along with the following line of code `require_once TRX_ADDONS_PLUGIN_DIR_INCLUDES . ‘plugin.rest-api.php’;` from the file /trx_addions.php located in the /wp-content/plugins/trx_addons/ folder. If you are running Wordfence Premium any exploit attempts against this vulnerability will be blocked.

    • To make sure you have the latest plugin, with the vulnerability fixed, do the following:

      - Delete the trx_addons folder from your /wp-content/plugins/ path
      - Install the latest theme by updating through WordPress or by replacing all files via FTP
      - Log into your WordPress admin dashboard and you will be asked by Maxify to install the plugin

      If you don't have the latest theme version you can update just the plugin. Do the above but this time upload the fixed plugin via FTP. You can find the new zip file of the plugin in your maxify folder on this path after extractin the lastest download from Envato:

      \maxify\plugins\trx_addons\\maxify\plugins\trx_addons.zip

      They included the fixed plugin version but their theme can't upgrade it automatically, so it needs to be done manually. I just found this today after having updated the theme a few days ago.

  • Thank you, Chloe. That is extremely helpful!

  • Hi Wordfence Team,

    First of all, thanks a lot for the notice! Too bad you couldn't give us a day or two before posting this up, so that we can provide the fix right away. Only some of our themes containing certain versions of the plugin have this issue, so I am not sure why all our customers having Themerex Addons plugin were notified. But anyway we are happy to fix it of course, security above all.

    The solution was found within a few minutes and we are already updating the themes on Themeforest! It will happen within today/tomorrow, so please rest assured, it is no longer an issue.

    If somebody needs the fix right away, here is how to do it:

    1) Remove file wp-content/plugins/includes/plugin.rest-api.php If the file is not in your plugin, then there is no problem at all.
    2) Remove the following line of code in wp-content/themes/theme_name/plugins/trx_addons/ trx_addions.php:
    require_once TRX_ADDONS_PLUGIN_DIR_INCLUDES . 'plugin.rest-api.php';

    If you have any questions, please just submit a ticket here - https://themerex.net/support/ - we'll resolve it very quickly!

    Themerex Team

    • *Update

      Actually, you should edit this file wp-content/plugins/trx_addons/trx_addions.php to remove the above-mentioned line.

    • Hi ThemeRex team!

      We did reach out to you as soon as we were aware of the active exploitation of this vulnerability. As it was actively being exploited, we immediately created the firewall rule to protect Wordfence customers from intrusion. We did not notify any of your customers. The vulnerability we found and tested was within the Addons plugin. As the exploitation was active and ongoing, we opted to notify the community as a whole to take action to protect themselves. As you may note in the post, we did not provide details about how this vulnerability could be exploited or even how it is currently being exploited by attackers.

      Thank you for commenting, and for letting our community know that a fix is underway.

      • Hi Chloe,

        Thanks a lot for the reply! We merely meant that bad people had some time before you made the post and we made the updates, that's it. It took us less than a day (all the team has been working) to deal with the issue.

        At the moment ALL of the themes that had the vulnerability were updated. We have also helped all the clients that asked via direct messages and tickets. And I hope the fix we provided here helped as well. People from your team confirmed that as well. So thank you again for your help! Safety above all!

        Best regards,

        ThemeRex Team

  • Dear Themerex Team,

    Wow! Just wow! What a response!

    "First of all, thanks a lot for the notice! Too bad you couldn't give us a day or two before posting this up"

    Get your SDLC, developers and SAST/DAST tooling up to scratch then you can be a little cocky. For now, you [messed] up and put website security at risk, so suck it up and get your developers Security savvy!

    Stay safe,
    Wayne

    • Hi Wayne,

      Thanks for your input. This must be a misunderstanding because the tone of the message can be interpreted differently depending on the intonation. We never meant to sound cocky there. Just saying that bad people had some time while the post was published and we were making the updates, that's it. And during that time the number of "attacks" increased. But we were very fast to fix it and that's all thanks to Wordfence team and concerned people like Yourself. So once again, thanks a lot for help.

      Without all of you guys, we could not have provided such a quick fix and update everything in one day. I hope everything is going to be alright now. We'll help every client, like we've been helping all day!

      Best regards,
      ThemeRex Team