Thrive Themes has a short while ago patched vulnerabilities in its WordPress plugins and legacy Themes – but attackers are targeting all those who have not however applied security updates.
Attackers are actively exploiting two recently-patched vulnerabilities in a popular suite of applications for WordPress sites from advertising and marketing platform Prosper Themes.
Prosper Themes offers various solutions to assist WordPress internet websites “convert readers into potential customers and buyers.” Its suite of merchandise, known as Thrive Suite, incorporates a lineup of Legacy Themes – instruments to enable improve the format and structure of WordPress websites – as perfectly as numerous plugins. These plugins offer several web site development and visual functionalities, including Thrive Architect, which can help web site homeowners generate web site landing webpages, and Prosper Remarks, which helps them employ participating reviews sections.
Two vulnerabilities had been discovered throughout the two these Legacy Themes and plugins, and patches were subsequently released on March 12. The flaws could be chained alongside one another to allow for unauthenticated attackers finally upload arbitrary documents on vulnerable WordPress web-sites – making it possible for for internet site compromise.
Nonetheless, in spite of patches becoming released, scientists are looking at a wave of exploits tries start – and they alert that additional than 100,000 WordPress websites applying Thrive Themes goods may still be susceptible.
“We are viewing these vulnerabilities remaining actively exploited in the wild, and we urge consumers to update to the latest versions available right away because they incorporate a patch for these vulnerabilities,” in accordance to Chloe Chamberland, menace analyst with Wordfence on Wednesday.
Beneath are a checklist of impacted versions of Prosper Themes Legacy Themes and plugins, in accordance to Wordfence:
- All Legacy Themes, including Rise, Ignition, and some others | Version < 2.0.0
- Thrive Optimize | Version < 220.127.116.11
- Thrive Comments | Version < 18.104.22.168
- Thrive Headline Optimizer | Version < 22.214.171.124
- Thrive Themes Builder | Version < 2.2.4
- Thrive Leads Version | < 126.96.36.199
- Thrive Ultimatum Version | < 188.8.131.52
- Thrive Quiz Builder Version | < 184.108.40.206
- Thrive Apprentice | Version < 220.127.116.11
- Thrive Architect | Version < 18.104.22.168
- Thrive Dashboard | Version < 22.214.171.124
The more critical of the two flaws ranks 10 out of 10 on the CVSS scale, and exists in Thrive Themes Legacy Themes. These themes attribute the capability to quickly compress pictures for the duration of uploads – however this operation was insecurely implemented, explained Chamberland.
“Thrive ‘Legacy’ Themes sign-up a Rest API endpoint to compress visuals working with the Kraken picture optimization engine,” explained Chamberland. “By giving a crafted request in blend with facts inserted working with the Alternative Update vulnerability, it was feasible to use this endpoint to retrieve malicious code from a distant URL and overwrite an existing file on the website with it or make a new file. This includes executable PHP files that comprise destructive code.”
An additional, less-significant vulnerability exists in Thrive Themes plugins. This mistake stems from an insecure implementation of a function in the Prosper Dashboard, allowing integration with on the internet automation instrument Zapier. In get to make this integration transpire, Thrive Themes items register a Rest API endpoint affiliated with Zapier performance.
“While this endpoint was supposed to involve an API critical in get to accessibility, it was possible to accessibility it by providing an empty api_vital parameter in vulnerable variations if Zapier was not enabled,” in accordance to Chamberland. “Attackers could use this endpoint to include arbitrary knowledge to a predefined option in the wp_alternatives desk.”
Of note, a CVE ID for each of these vulnerabilities is pending, in accordance to Wordfence.
The Exploit Chain
Chamberland explained that attackers can chain these two vulnerabilities together in buy to accessibility impacted web sites – while Chamberland famous, scientists are intentionally offering small details about the exploit chain “in an try to continue to keep exploitation to a least even though also informing WordPress site house owners applying afflicted Thrive Topic products of this lively marketing campaign.”
At a substantial degree, attackers are working with the medium-severity “Unauthenticated Solution Update” vulnerability to update an alternative in the database. This can then be utilised to leverage the critical-severity “Unauthenticated Arbitrary File Upload” vulnerability – and add a destructive PHP file.
“The mixture of these two vulnerabilities is enabling attackers to gain backdoor entry into vulnerable internet sites to even further compromise them,” reported Chamberland.
Attacker Exploits Carry on
Researchers were capable to “verify this intrusion vector” on an person site – and they then discovered the payload additional by this attack on over 1,900 sites, all of which appear to have vulnerable Relaxation API endpoints.
Chamberland told Threatpost, scientists are viewing attackers increase a signup.php file to the house listing of qualified websites, which is then being employed to additional infect web sites with spam.
“This variety is continuing to rise indicating that the attackers are continuing to properly exploit the vulnerabilities and compromise web-sites,” Chamberland told Threatpost. “Right now, we do not have an notion how who precisely per se is powering the attacks, even so, most of the attack data we are looking at is generally coming from an attacker with the IP handle of 126.96.36.199.”
Chamberland said, Prosper Themes buyers should really make sure they are current as shortly as feasible.
“For the time currently being, we urge that web-site house owners working any of the Thrive Themes ‘legacy’ themes to update to variation 2.. immediately, and any web-site proprietors running any of the Prosper plugins to update to the most current edition accessible for every of the respective plugins,” she stressed.
Threatpost has arrived at out to Prosper Themes for further remark.
Some elements of this short article are sourced from: