A critical vulnerability in a WordPress plugin known as “ThemeREX Addons” could open the door for remote code execution in tens of thousands of websites. According to Wordfence, the bug has been actively exploited in the wild as a zero-day.
The plugin, which is installed on approximately 44,000 sites, is used to apply various “skins” that govern the look and feel of web destinations, including theme-enhancing features and widgets.
To provide compatibility with WordPress’ Gutenberg plugin, the ThemeREX Addons plugin uses an API, according to Wordfence researcher Chloe Chamberland, writing in a blog posting on Monday. When the API interacts with Gutenberg, the touchpoints of that communication are known as endpoints. ThemeREX uses the “~/includes/plugin.rest-api.php” file to register an endpoint (“/trx_addons/v2/get/sc_layout”), which in turn calls the “trx_addons_rest_get_sc_layout” function.
This introduces an access-control problem, the researcher noted. In unpatched versions of ThemeREX, “there were no capability checks on this endpoint that would block users that were not administrators or currently signed in, so any user had the ability to call the endpoint regardless of capability,” she explained. “In addition, there was no nonce check to verify the authenticity of the source.”
Further down in the code, there’s also a functionality used to get parameters from widgets that work with the Gutenberg plugin.
“This is where the core of the remote code execution vulnerability was present,” Chamberland wrote. “There were no restrictions on the PHP functions that could be used or the parameters that were provided as input. Instead, we see a simple if (function_exists($sc)) allowing for any PHP function to be called and executed.”
The upshot of this is that adversaries can use various WordPress functions – for instance, in attacks in the wild, the “wp_insert_user” function was used to create administrative user accounts and take over sites, according to the research.
ThemeREX has now addressed the issue by completely removing the affected ~/plugin.rest-api.php file from the plugin – users should update to the latest version to stay protected.
WordPress plugins continue to be a rich avenue of attack for cybercriminals. Last month, popular WordPress plugin Duplicator, which has more than 1 million active installations, was discovered to have an unauthenticated arbitrary file download vulnerability that was being attacked.
Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.