Attackers are actively exploiting 2 recently patched vulnerabilities in a popular suite of tools for WordPress websites from marketing platform Thrive Themes.
Thrive Themes has recently patched vulnerabilities in its WordPress plugins & legacy Themes – but attackers are targeting those who have not yet applied security updates.
Thrive Themes offers various products to help WordPress websites “convert visitors into leads & customers.” Its suite of products, called Thrive Suite, includes a line-up of Legacy Themes – tools to help change the layout & design of WordPress websites – as well as various plugins.
These plugins offer various website development & visual functionalities, including Thrive Architect, which helps site owners create website landing pages, & Thrive Comments, which helps them implement engaging comments sections.
Two vulnerabilities were found across both these Legacy Themes & plugins, and patches were subsequently released on March 12. The flaws could be linked together to allow unauthenticated attackers ultimately upload arbitrary files on vulnerable WordPress sites, thus allowing for website compromise.
Patch for these Vulnerabilities
However, despite patches being released, researchers are seeing a wave of exploits attempts begin & they warn that more than 100,000 WordPress sites using Thrive Themes products may still be vulnerable.
“We are seeing these vulnerabilities being actively exploited in the wild, & we urge users to update to the latest versions available immediately since they contain a patch for these vulnerabilities,” according to Chloe Chamberland, Threat Analyst with Wordfence on Wed.
Here is a list of affected versions of Thrive Themes Legacy Themes & plugins, stated by Wordfence:
- All Legacy Themes, including Rise, Ignition, & others | Version < 2.0.0
- Thrive Optimize | Version < 18.104.22.168
- Thrive Comments | Version < 22.214.171.124
- Thrive Headline Optimizer | Version < 126.96.36.199
- Thrive Themes Builder | Version < 2.2.4
- Thrive Leads Version | < 188.8.131.52
- Thrive Ultimatum Version | < 184.108.40.206
- Thrive Quiz Builder Version | < 220.127.116.11
- Thrive Apprentice | Version < 18.104.22.168
- Thrive Architect | Version < 22.214.171.124
- Thrive Dashboard | Version < 126.96.36.199
The more critical of the 2 flaws ranks 10 out of 10 on the CVSS scale & exists in Thrive Themes Legacy Themes. These themes feature the ability to automatically compress images during uploads. However, this functionality was insecurely implemented, explained Chamberland.
“Thrive ‘Legacy’ Themes register a REST API endpoint to compress images using the Kraken image optimisation engine,” expanded Chamberland.
“By supplying a crafted request in combination with data inserted using the Option Update vulnerability, it was possible to use this endpoint to retrieve malicious code from a remote URL & overwrite an existing file on the site with it or create a new file. This includes executable PHP files that contain malicious code.”
A further, less-severe vulnerability exists in Thrive Themes plugins. This error stems from an insecure implementation of a feature in the Thrive Dashboard, allowing integration with online automation tool Zapier.
In order to make this integration happen, Thrive Themes products register a REST API endpoint associated with Zapier functionality.
“While this endpoint was intended to require an API key in order to access, it was possible to access it by supplying an empty api_key parameter in vulnerable versions if Zapier was not enabled,” according to Chamberland.
“Attackers could use this endpoint to add arbitrary data to a predefined option in the wp_options table.”
Of note, a CVE ID for both of these vulnerabilities is pending, according to Wordfence.
Chamberland commented that attackers can chain these 2 vulnerabilities together in order to access affected websites – though Chamberland noted, researchers are intentionally providing minimal details about the exploit chain “in an attempt to keep exploitation to a minimum while also informing WordPress site owners using affected Thrive Theme products of this active campaign.”
At a high level, attackers are using the medium severity “Unauthenticated Option Update” vulnerability to update an option in the database. This can then be used to leverage the critical-severity “Unauthenticated Arbitrary File Upload” vulnerability – & upload a malicious PHP file.
“The combination of these 2 vulnerabilities is allowing attackers to gain backdoor access into vulnerable sites to further compromise them,” commented Chamberland.
Researchers were able to “verify this intrusion vector” on an individual site & they then found the payload added by this attack on over 1,900 sites, all of which appear to have vulnerable REST API endpoints.
Chamberland explained that researchers are seeing attackers add a signup.php file to the home directory of targeted sites, which is then being used to further infect sites with spam.
“This number is continuing to rise indicating that the attackers are continuing to successfully exploit the vulnerabilities & compromise sites,” Chamberland observed.
“Right now, we don’t have an idea how who specifically per se is behind the attacks, however, most of the attack data we are seeing is primarily coming from an attacker with the IP address of 188.8.131.52.”
Update to Version 2.0.0
Chamberland concluded, Thrive Themes users should ensure they are updated asap.
“For the time being, we urge that site owners running any of the Thrive Themes ‘legacy’ themes to update to version 2.0.0 immediately, & any site owners running any of the Thrive plugins to update to the latest version available for each of the respective plugins,” she stated.