RCE in popular ThemeREX WordPress Plugin has been actively exploited

The WordPress plugin ‘ThemeREX Addons’ is affected by a critical vulnerability that could allow remote attackers to execute arbitrary code.

A critical vulnerability in the WordPress plugin known as ThemeREX Addons could be exploited for remote code execution.

The plugin is currently installed on tens of thousands of websites and according to the security firm Wordfence the vulnerability has been actively exploited in the wild as a zero-day.

The plugin, which is installed on approximately 44,000 sites, is used to apply various “skins” that govern the look and feel of web destinations, including theme-enhancing features and widgets.

“On February 18th, we were alerted to a vulnerability present in ThemeREX Addons, a WordPress plugin installed on approximately 44,000 sites.” reads the analysis published by Wordfence. “As this vulnerability was being actively attacked, we also publicly notified the community of the vulnerability to help protect users from being compromised.”

Experts discovered that the vulnerability resides in the ~/includes/plugin.rest-api.php file. To provide compatibility with the Gutenberg plugin, the ThemeREX Addons plugin used the REST-API endpoint (“/trx_addons/v2/get/sc_layout”), which in turn calls the “trx_addons_rest_get_sc_layout” function.

When the API interacts with Gutenberg, the touchpoints of that communication are known as endpoints. ThemeREX uses the “~/includes/plugin.rest-api.php” file to register an endpoint (“/trx_addons/v2/get/sc_layout”), which in turn calls the “trx_addons_rest_get_sc_layout” function.

“There were no capability checks on this endpoint that would block users that were not administrators or currently signed in, so any user had the ability to call the endpoint regardless of capability. In addition, there was no nonce check to verify the authenticity of the source.” continues the analysis. “Access control and cross-site request forgery (CSRF) protection aside, the core of the problem was within the functionality of the code itself.”

Experts also noticed in the code the presence of a functionality used to get parameters from widgets that work with the Gutenberg plugin. In this portion of the code experts discovered “the core of the remote code execution vulnerability.”

“There were no restrictions on the PHP functions that could be used or the parameters that were provided as input. Instead, we see a simple if (function_exists($sc)) allowing for any PHP function to be called and executed.” continues the analysis.

An attacker could exploit several WordPress functions, such as the “wp_insert_user” function, to create administrative user accounts and take control of sites using the vulnerable plugin.

Developers of the ThemeREX have addressed the vulnerability by removing the ~/plugin.rest-api.php file from the plugin code.

“This flaw has been patched in all ThemeREX themes that were running vulnerable versions of this plugin and we recommend that users update to the latest version available immediately.” concludes the advisory.

Unfortunately, the number of attacks attempting to exploit vulnerabilities in WordPress plugins continues to increase. A couple of weeks ago researchers at NinTechNet reported an ongoing campaign that was actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin. Other attacks recently observed are:

• Jan. 2020 – An authentication bypass vulnerability in the InfiniteWP plugin that could potentially impact by more than 300,000 sites.
• Jan. 2020 – Over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug in Code Snippets plugin.
• Feb. 2020 – A serious flaw in the ThemeGrill Demo Importer WordPress theme plugin with over 200,000 active installs can be exploited to wipe sites and gain admin access to the site.
• Feb. 2020 – A stored cross-site vulnerability in the GDPR Cookie Consent plugin that could potentially impact 700K users.
• Feb. 2020 – A zero-day vulnerability in the ThemeREX Addons was actively exploited by hackers in the wild to create user accounts with admin permissions.

I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]