Day 0 and Day 1 vulnerabilities in popular WordPress plugins are already under attack. With their help, attackers create new administrator accounts and take over sites. Analysts at the information security company Wordfence warned that attackers are exploiting a zero-day vulnerability in the ThemeREX Addons plugin, which comes with all commercial ThemeREX themes. This plugin helps users of ThemeREX products to create new websites and control various theme settings. Wordfence estimates that it is installed on over 44,000 sites. The problem is that the plugin sets up the WordPress REST-API endpoint, but does not check whether the commands sent to this REST API are coming from authorized users (that is, from the site owner). As a result, it turns out that the remote code can be executed by anyone, even if he has not been authenticated on the site. Worse, the attackers get the opportunity to create a new administrator account, which was observed by experts during the attacks that began on February 18, 2020.
Experts urged users to urgently remove ThemeREX Addons versions older than 1.6.50, and not use the plugin until the patch is released.
However, not only ThemeREX Addons users may experience problems. Another problematic plugin under attack is ThemeGrill Demo Importer, which we told the other day. Such attacks are called attacks on the vulnerability of the first day, that is, on a very fresh, recently fixed bug. Let me remind you that due to the vulnerability, remote and unauthenticated attackers have the opportunity to send a special payload to the site, with the help of which a certain plugin function will be activated. For example, the ThemeGrill product has a function that completely resets all content on the site, effectively erasing all the content of the resource with the active ThemeGrill theme and replacing it with demo data. In addition, if the site database contains a user named admin, an attacker can gain access to this account and all the corresponding rights.
According to WebARX and according to reports published on Twitter, hackers have already begun exploiting a vulnerability in ThemeGrill. And while the attacks are deliberately destructive, that is, hackers do not seek to seize control over the resource, but they want to erase the site database and destroy data. Experts advise users to update as soon as possible by installing the updated version of the plugin (1.6.2).