Show vulnerabilities with patch / with exploit
20 February 2020

WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts


WordPress ThemeREX plugin flaw is being actively exploited to create rogue admin accounts

Hackers are exploiting a zero-day vulnerability in ThemeREX Addons, a WordPress plugin currently installed on more than 44,000 sites, to create user accounts with admin permissions. According to researchers from Wordfence, the company that specializes in WordPress security, the attacks have started two days ago, February 18.

ThemeREX Addons plugin is installed as a companion to many ThemeREX themes and provides a number of theme management features, including the functionality that allows to set up a WordPress REST-API endpoint. The problem is the plugin does not check if a request is coming from an administrative user. The vulnerability stems from the fact that the endpoint allows any PHP function to be executed without administrative permissions.

This flaw can be exploited by attackers to remotely execute code on the website with ThemeREX Addons plugin installed, including code that can inject administrative user accounts.

“This means that remote code can be executed by any visitor, even those that are not authenticated to the site. The most worrisome capability that we are seeing actively attacked is the ability to create a new administrative user, which can be used for complete site takeover,” the researchers wrote.

Currently, it is not clear, who is behind these attacks. Wordfence has not provided full technical analysis of the vulnerability in an effort to minimize the exploitation attempts. The firm recommends the site owners to remove the ThemeREX Addons plugin if they are running a version greater than 1.6.50 until a patch has been released.

Back to the list

Latest Posts

Vulnerability summary for the week: March 27, 2020

Vulnerability summary for the week: March 27, 2020

Weekly vulnerability digest.
27 March 2020
Unpatched iOS bug prevents VPN apps from encrypting all traffic

Unpatched iOS bug prevents VPN apps from encrypting all traffic

Affected versions of iOS fail to close existing internet connections when a user connects to a VPN.
27 March 2020
Rare BadUSB attack detected in the wild

Rare BadUSB attack detected in the wild

This case is a perfect example of how simple social engineering, a Best Buy gift card, and an BadUSB device could be used to compromise a company.
27 March 2020