20 February 2020

WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts


WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

Hackers are exploiting a zero-day vulnerability in ThemeREX Addons, a WordPress plugin currently installed on more than 44,000 sites, to create user accounts with admin permissions. According to researchers from Wordfence, the company that specializes in WordPress security, the attacks have started two days ago, February 18.

ThemeREX Addons plugin is installed as a companion to many ThemeREX themes and provides a number of theme management features, including the functionality that allows to set up a WordPress REST-API endpoint. The problem is the plugin does not check if a request is coming from an administrative user. The vulnerability stems from the fact that the endpoint allows any PHP function to be executed without administrative permissions.

This flaw can be exploited by attackers to remotely execute code on the website with ThemeREX Addons plugin installed, including code that can inject administrative user accounts.

“This means that remote code can be executed by any visitor, even those that are not authenticated to the site. The most worrisome capability that we are seeing actively attacked is the ability to create a new administrative user, which can be used for complete site takeover,” the researchers wrote.

Currently, it is not clear, who is behind these attacks. Wordfence has not provided full technical analysis of the vulnerability in an effort to minimize the exploitation attempts. The firm recommends the site owners to remove the ThemeREX Addons plugin if they are running a version greater than 1.6.50 until a patch has been released.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024