Today, February 18th, our Threat Intelligence team was notified of a vulnerability present in ThemeREX Addons, a WordPress plugin installed on an estimated 44,000 sites. This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts.
At the time of writing, this vulnerability is being actively exploited, therefore we urge users to temporarily remove the ThemeREX Addons plugin if you are running a version greater than 1.6.50 until a patch has been released.
Wordfence Premium customers received a new firewall rule today, February 18th, 2020, at 3:16PM UTC to protect against exploits targeting this vulnerability. Free Wordfence users will receive the rule after thirty days on March 19th, 2020.
REST-API Endpoint Unprotected and Improperly Configured
ThemeREX Addons is a plugin installed as a companion to many ThemeREX themes and provides a number of theme management features. One of the plugin’s functions registers a WordPress REST-API endpoint. When doing so, it does not verify that a request is coming from an administrative user.
While this is not cause for concern on its own, the endpoint allows any PHP function to be executed, rather than being limited to a select few functions. This means that remote code can be executed by any visitor, even those that are not authenticated to the site. The most worrisome capability that we are seeing actively attacked is the ability to create a new administrative user, which can be used for complete site takeover.
Indicators of Compromise
We currently have very little data on who is exploiting this vulnerability and what artifacts are being left behind, however, we do know that attacks are targeting administrative user account creation. If you are running the ThemeREX Addons plugin on your site and you discover a new suspicious administrative account, it is very likely that your site was compromised as a result of this vulnerability. We will provide more information as details emerge.
We have intentionally provided minimal details in this post in an attempt to keep exploitation to a bare minimum while also informing WordPress site owners of this active campaign. We will release a follow-up post with further details once the developer patches this vulnerability.
For the time being, we urge that site owners running the ThemeREX Addons plugin remove it from their sites immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since February 18th, 2020. Sites running the free version of Wordfence will receive the firewall rule update on March 19th, 2020.
Special thanks to Tobias Westphal and Arne Breitsprecher for reporting this vulnerability to Wordfence.