Zero and first day vulnerabilities in popular WordPress plugins are already under attack. With their help, attackers create new account entries for the administrator and hijack sites.
Wordfence Security Analysts warnedthat cybercriminals exploit the zero-day vulnerability in ThemeREX Addons plugin, which comes with all ThemeREX commercial themes. This plugin helps users of ThemeREX products create new sites and control various theme settings. Wordfence estimates that it is installed on more than 44,000 sites.
The problem is that the plugin configures the WordPress REST-API endpoint, but does not check if authorized users (that is, the site owner) receive commands sent to this REST API. As a result, it turns out that the remote code can be executed by anyone, even if it did not pass authentication on the site. Even worse, attackers get the opportunity to create a new administrator account, which was observed by experts during the attacks that began on February 18, 2020.
Experts urged users to urgently remove ThemeREX Addons versions older than 1.6.50, and not to use the plugin until the patch is released.
However, problems may not only arise with ThemeREX Addons users. Another problem plugin under attack is ThemeGrill Demo Importer, which we talked about the other day. Such attacks are called attacks on the vulnerability of the first day, that is, on a very fresh, recently fixed bug.
Let me remind you that because of the vulnerability, remote and unauthenticated attackers have the ability to send a special payload to the site, with the help of which a certain plug-in function will be activated. So, the ThemeGrill product has a function that completely resets all content on the site, effectively erasing all the content of the resource with the ThemeGrill active theme and replacing it with demo data. In addition, if the site database contains a user named admin, the attacker can gain access to this account and all the relevant rights.
According to information Webarx and judging by the messages published on twitter, hackers have already begun to exploit the vulnerability in the product ThemeGrill. Moreover, while the attacks are deliberately destructive, that is, hackers do not want to take control of the resource, but want to erase the database of sites and destroy data. Experts advise users to upgrade as soon as possible by installing an updated version of the plugin (1.6.2).