Attackers are actively exploiting two recently-patched vulnerabilities in a popular suite of tools for WordPress websites from marketing platform Thrive Themes.
Thrive Themes offers various products to help WordPress websites “convert visitors into leads and customers.” Its suite of products, called Thrive Suite, includes a lineup of Legacy Themes – tools to help change the layout and design of WordPress websites – as well as various plugins. These plugins offer various website development and visual functionalities, including Thrive Architect, which helps site owners create website landing pages, and Thrive Comments, which helps them implement engaging comments sections.
Two vulnerabilities were discovered across both these Legacy Themes and plugins, and patches were subsequently released on March 12. The flaws could be chained together to allow unauthenticated attackers ultimately upload arbitrary files on vulnerable WordPress sites – allowing for website compromise.
However, despite patches being released, researchers are seeing a wave of exploits attempts begin – and they warn that more than 100,000 WordPress sites using Thrive Themes products may still be vulnerable.
“We are seeing these vulnerabilities being actively exploited in the wild, and we urge users to update to the latest versions available immediately since they contain a patch for these vulnerabilities,” according to Chloe Chamberland, threat analyst with Wordfence on Wednesday.
Below are a list of affected versions of Thrive Themes Legacy Themes and plugins, according to Wordfence:
- All Legacy Themes, including Rise, Ignition, and others | Version < 2.0.0
- Thrive Optimize | Version < 220.127.116.11
- Thrive Comments | Version < 18.104.22.168
- Thrive Headline Optimizer | Version < 22.214.171.124
- Thrive Themes Builder | Version < 2.2.4
- Thrive Leads Version | < 126.96.36.199
- Thrive Ultimatum Version | < 188.8.131.52
- Thrive Quiz Builder Version | < 184.108.40.206
- Thrive Apprentice | Version < 220.127.116.11
- Thrive Architect | Version < 18.104.22.168
- Thrive Dashboard | Version < 22.214.171.124
The more critical of the two flaws ranks 10 out of 10 on the CVSS scale, and exists in Thrive Themes Legacy Themes. These themes feature the ability to automatically compress images during uploads – however this functionality was insecurely implemented, said Chamberland.
“Thrive ‘Legacy’ Themes register a REST API endpoint to compress images using the Kraken image optimization engine,” said Chamberland. “By supplying a crafted request in combination with data inserted using the Option Update vulnerability, it was possible to use this endpoint to retrieve malicious code from a remote URL and overwrite an existing file on the site with it or create a new file. This includes executable PHP files that contain malicious code.”
Another, less-severe vulnerability exists in Thrive Themes plugins. This error stems from an insecure implementation of a feature in the Thrive Dashboard, allowing integration with online automation tool Zapier. In order to make this integration happen, Thrive Themes products register a REST API endpoint associated with Zapier functionality.
“While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty api_key parameter in vulnerable versions if Zapier was not enabled,” according to Chamberland. “Attackers could use this endpoint to add arbitrary data to a predefined option in the wp_options table.”
Of note, a CVE ID for both of these vulnerabilities is pending, according to Wordfence.
The Exploit Chain
Chamberland said that attackers can chain these two vulnerabilities together in order to access affected websites – though Chamberland noted, researchers are intentionally providing minimal details about the exploit chain “in an attempt to keep exploitation to a minimum while also informing WordPress site owners using affected Thrive Theme products of this active campaign.”
At a high level, attackers are using the medium-severity “Unauthenticated Option Update” vulnerability to update an option in the database. This can then be used to leverage the critical-severity “Unauthenticated Arbitrary File Upload” vulnerability – and upload a malicious PHP file.
“The combination of these two vulnerabilities is allowing attackers to gain backdoor access into vulnerable sites to further compromise them,” said Chamberland.
Attacker Exploits Continue
Researchers were able to “verify this intrusion vector” on an individual site – and they then found the payload added by this attack on over 1,900 sites, all of which appear to have vulnerable REST API endpoints.
Chamberland told Threatpost, researchers are seeing attackers add a signup.php file to the home directory of targeted sites, which is then being used to further infect sites with spam.
“This number is continuing to rise indicating that the attackers are continuing to successfully exploit the vulnerabilities and compromise sites,” Chamberland told Threatpost. “Right now, we don’t have an idea how who specifically per se is behind the attacks, however, most of the attack data we are seeing is primarily coming from an attacker with the IP address of 126.96.36.199.”
Chamberland said, Thrive Themes users should make sure they’re updated as soon as possible.
“For the time being, we urge that site owners running any of the Thrive Themes ‘legacy’ themes to update to version 2.0.0 immediately, and any site owners running any of the Thrive plugins to update to the latest version available for each of the respective plugins,” she stressed.
Threatpost has reached out to Thrive Themes for further comment.