Hackers are exploiting a zero-day vulnerability in ThemeREX Addons, a WordPress plugin currently installed on more than 44,000 sites, to create user accounts with admin permissions. According to researchers from Wordfence, the company that specializes in WordPress security, the attacks have started two days ago, February 18.
ThemeREX Addons plugin is installed as a companion to many ThemeREX themes and provides a number of theme management features, including the functionality that allows to set up a WordPress REST-API endpoint. The problem is the plugin does not check if a request is coming from an administrative user. The vulnerability stems from the fact that the endpoint allows any PHP function to be executed without administrative permissions.
This flaw can be exploited by attackers to remotely execute code on the website with ThemeREX Addons plugin installed, including code that can inject administrative user accounts.
“This means that remote code can be executed by any visitor, even those that are not authenticated to the site. The most worrisome capability that we are seeing actively attacked is the ability to create a new administrative user, which can be used for complete site takeover,” the researchers wrote.
Currently, it is not clear, who is behind these attacks. Wordfence has not provided full technical analysis of the vulnerability in an effort to minimize the exploitation attempts. The firm recommends the site owners to remove the ThemeREX Addons plugin if they are running a version greater than 1.6.50 until a patch has been released.