Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild

On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s “Legacy” Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. We estimate that more than 100,000 WordPress sites are using Thrive Theme products that may still be vulnerable.

Patches were released on March 12, 2021 for the vulnerable themes and plugins. We are seeing these vulnerabilities being actively exploited in the wild, and we urge users to update to the latest versions available immediately since they contain a patch for these vulnerabilities.

We strongly recommend updating if you are running any of the following versions:

  • All Legacy Themes, including Rise, Ignition, and others | Version < 2.0.0
  • Thrive Optimize | Version < 1.4.13.3
  • Thrive Comments | Version < 1.4.15.3
  • Thrive Headline Optimizer | Version < 1.3.7.3
  • Thrive Themes Builder | Version < 2.2.4
  • Thrive Leads Version | < 2.3.9.4
  • Thrive Ultimatum Version | < 2.3.9.4
  • Thrive Quiz Builder Version | < 2.3.9.4
  • Thrive Apprentice | Version < 2.3.9.4
  • Thrive Architect | Version < 2.6.7.4
  • Thrive Dashboard | Version < 2.3.9.3
  • Thrive Ovation | Version < 2.4.5
  • Thrive Clever Widgets | Version < 1.56.1

Wordfence Premium customers received two rules on March 23, 2021 to protect against active exploitation of this vulnerability. Wordfence users still using the free version will receive the same protection on April 22, 2021.

Description: Unauthenticated Option Update
Affected Plugins: All Thrive Theme Plugins and Themes
Plugin Slugs: thrive-ab-page-testing, thrive-comments, thrive-headline-optimizer, thrive-visual-editor, thrive-leads, thrive-ultimatum, thrive-quiz-builder, thrive-apprentice, thrive-architect, thrive-dashboard, thrive-ovation, thrive-clever-widgets
Affected Versions of Plugins: Various [please see above for affected versions]
Affected Themes: All Thrive Themes Legacy Themes
Theme Slugs: rise, ignition, luxe, focusblog, minus, squared, voice, performag, pressive, storied, thrive-theme
Affected Versions of Themes: < 2.0.0
CVE ID: CVE-2021-24219
CVSS Score: 5.8 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Fully Patched Version of Plugins: Various [please see above for patched versions]
Fully Patched Version of Themes: 2.0.0

Thrive Themes offers a variety of products designed to enhance the site building process. One feature that these products offer in the Thrive Dashboard is the ability to integrate with Zapier. Unfortunately, this functionality was insecurely implemented.

Thrive Themes products register a REST API endpoint associated with Zapier functionality. While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty api_key parameter in vulnerable versions if Zapier was not enabled. Attackers could use this endpoint to add arbitrary data to a predefined option in the wp_options table.

Description: Unauthenticated Arbitrary File Upload and Option Deletion
Affected Themes: All Thrive Themes Legacy Themes
Theme Slugs: rise, ignition, luxe, focusblog, minus, squared, voice, performag, pressive, storied
Affected Versions: < 2.0.0
CVE ID: CVE-2021-24220
CVSS Score: 10.0 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 2.0.0

Thrive Themes “Legacy” themes offer the ability to automatically compress images during all uploads. Unfortunately, this functionality was insecurely implemented as well.

Thrive “Legacy” Themes register a REST API endpoint to compress images using the Kraken image optimization engine. By supplying a crafted request in combination with data inserted using the Option Update vulnerability, it was possible to use this endpoint to retrieve malicious code from a remote URL and overwrite an existing file on the site with it or create a new file. This includes executable PHP files that contain malicious code.

Chaining Exploits Together

We’ve seen cases in the past where attackers chain two separate exploits in order to gain access to a site and that was the case with this exploit.

Attackers are using the Unauthenticated Option Update vulnerability to update an option in the database that can then be used by the Unauthenticated Arbitrary File Upload vulnerability to upload a malicious PHP file. The combination of these two vulnerabilities is allowing attackers to gain backdoor access into vulnerable sites to further compromise them

Indicators of Compromise

Our security analysts have been able to forensically verify this intrusion vector on an individual site. In addition, we have found the payload added by this attack on over 1900 sites, all of which appear to have vulnerable REST API endpoints. We will update this section as we discover new information.

Modified and Malicious Files

  • /signup.php – We are seeing this file in the webroot of compromised sites, and it appears to be a backdoor used to further infect sites. While we’re seeing a few variants, the vast majority of these have an MD5 hash of d8ef979fc3aac9dabb0883cb5be4b345
  • A small number of infected sites also have an additional malicious client.php or wp-includes/client.php file included from a modification to wp-load.php. In some sites this appears to be used to inject spam. The following MD5 hashes are prevalent on these sites:
    • 4f737679c8e660c4883b2d0bddc6cb77
    • 2004feca39133a7034893ce7ef6f6b25

Offending IP Addresses

  • 5.255.176.41

Log Files

Here are the extracted contents of a log file from a site that was compromised by this chain of vulnerabilities. It is easy to observe the attack step by step while reviewing these log files. Keep an eye out for similar log entries if your site has been compromised recently.

5.255.176.41 - - [09/Mar/2021:18:51:34 +0100] "GET /wp-json HTTP/1.1" 200 158979 "REDACTED" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
5.255.176.41 - - [09/Mar/2021:18:51:35 +0100] "POST /wp-json/thrive/kraken HTTP/1.1" 200 - "REDACTED/wp-json" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
5.255.176.41 - - [09/Mar/2021:18:51:36 +0100] "POST /wp-json/td/v1/optin/subscription HTTP/1.1" 200 25 "REDACTED/wp-json/thrive/kraken" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
5.255.176.41 - - [09/Mar/2021:18:51:36 +0100] "POST /wp-json/thrive/kraken HTTP/1.1" 200 - "REDACTED/wp-json/td/v1/optin/subscription" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
5.255.176.41 - - [09/Mar/2021:18:51:38 +0100] "GET /wp-links-opml.php HTTP/1.1" 200 11 "REDACTED/wp-json/thrive/kraken" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
5.255.176.41 - - [09/Mar/2021:23:00:00 +0100] "POST /signup.php HTTP/1.1" 302 512 "REDACTED/signup.php;6668bb972609" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
5.255.176.41 - - [09/Mar/2021:23:00:00 +0100] "GET /signup.php HTTP/1.1" 200 91521 "REDACTED/signup.php;6668bb972609" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
5.255.176.41 - - [09/Mar/2021:23:00:00 +0100] "POST /signup.php HTTP/1.1" 200 11 "REDACTED/signup.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"
5.255.176.41 - - [10/Mar/2021:04:13:43 +0100] "POST /signup.php HTTP/1.1" 302 512 "REDACTED/signup.php;6668bb972609" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3538.77 Safari/537.36"

Response Timeline

March 23, 2021 1:03 PM UTC – Charles Sweethill, Wordfence Security Analyst, notifies the Threat Intelligence team of evidence indicating the possibility of a critical vulnerability in Thrive Themes being actively exploited. An investigation begins.
March 23, 2021 5:11 PM UTC – We discover one of the vulnerable API endpoints.
March 23, 2021 5:38 PM UTC – We obtain a vulnerable copy of one of the Thrive Themes, and confirm that the thrive_kraken_callback() function is vulnerable to arbitrary file creation.
March 23, 2021 6:07 PM UTC – We discover the second vulnerable API endpoint needed in order to exploit the first API endpoint.
March 23, 2021 6:36 PM UTC – We verify that the subscribe() function is vulnerable to unauthenticated options change that can be used to exploit the vulnerability in the thrive_kraken_callback() function.
March 23, 2021 7:01 PM UTC – We create a working proof of concept and firewall rule development begins.
March 23, 2021 10:16 PM UTC – Testing on the first firewall rule for the unauthenticated options change is complete and the rule is released to Wordfence Premium users.
March 23, 2021 10:26 PM UTC – Testing on the second firewall rule for the unauthenticated arbitrary file upload vulnerability is complete and the rule is released to Wordfence Premium users.
April 22, 2021 – Wordfence free users receive the same protection.

Conclusion

We have intentionally provided minimal details in this post in an attempt to keep exploitation to a minimum while also informing WordPress site owners using affected Thrive Theme products of this active campaign. We will release a follow-up post with further details once active exploitation ceases.

For the time being, we urge that site owners running any of the Thrive Themes “legacy” themes to update to version 2.0.0 immediately, and any site owners running any of the Thrive plugins to update to the latest version available for each of the respective plugins.

Wordfence Premium customers have been protected from attacks against this vulnerability since March 23, 2021. Sites running the free version of Wordfence will receive the firewall rule update on April 22, 2021.

Our team is actively tracking attacks, and we will produce more details as soon as we believe it is responsible to do so. For updates, please consider subscribing to our newsletter, and please consider sharing this post to help create awareness of this security issue.

Special thanks to Wordfence Security Analyst Charles Sweethill for quickly identifying these vulnerabilities during a site cleaning, pinpointing the REST API endpoints used to compromise vulnerable sites, and for his contributions on this post. Also, huge thanks to Wordfence Threat Analyst Ramuel Gall for his work reverse engineering both vulnerabilities and attack data, creating a working proof of concept, writing the firewall rules to protect Wordfence customers, and his contributions to this post. This research and the resulting protection for Wordfence customers is truly a team effort.

Did you enjoy this post? Share it!

Comments

6 Comments
  • Chloe is on fire - the plus_addon and now this. Congrats!!!! I did find signup.php on my platform. And im on the process of removing it from the infected sites.

    • Hi Salvador,

      I really appreciate that, but I must say it is the entire Wordfence team that is on fire. :) I am sorry to hear your sites were affected by this, I recommend following this guide to clean up your site to make sure nothing goes missed.

      Thanks again!

      • Thanks for the guide.

  • Hi. Thanks so much for all the security work you guys do. I've gone in and updated what I can. However, when I tried to update my themes Ignition and Rise (I'm using it on 2 sites still), it went from version 2.0.0 back to version 1.510. Now there is still a message to update for 2.0.1 but every time I try, it says it's successful but it doesn't clear from the updates page in WordPress. Should I be concerned about this?

    • Hi Susie,

      That is very odd, and I am sorry to hear that is happening! I would recommend reaching out to their support team directly for their assistance on trying to get that updated for you. It looks like you can get in touch with them here: https://thrivethemes.com/support/

  • They are also uploading the following files besides the signup.php one:

    wp-stream.php
    wp-logout.php