Hackers exploit zero-day in WordPress plugin to create rogue admin accounts

Attacks detected targeting sites running the ThemeREX Addons plugin.
Written by Catalin Cimpanu, Contributor
Image: ZDNet, WordPress

Hackers are exploiting a zero-day vulnerability in a WordPress plugin made by ThemeREX, a company that sells commercial WordPress themes.

The attacks, detected by Wordfence, a company that provides a web application firewall (WAF) for WordPress sites, have begun yesterday, February 18.

They target ThemeREX Addons, a WordPress plugin that ships pre-installed with all ThemeREX commercial themes. The plugin's role is to help buyers of ThemeREX products set up their new sites and control various theme features. Wordfence estimates the plugin is installed on more than 44,000 sites.

According to the WordPress security firm, the plugin works by setting up a WordPress REST-API endpoint but does not check that commands sent to this REST API are coming from authorized users (i.e.; the site owner).

"This means that remote code can be executed by any visitor, even those that are not authenticated to the site," said Chloe Chamberland, threat analyst at Wordfence.

"The most worrisome capability that we are seeing actively attacked is the ability to create a new administrative user, which can be used for complete site takeover," she added.

"We urge users to temporarily remove the ThemeREX Addons plugin if you are running a version greater than 1.6.50 until a patch has been released," Chamberland said.

A second attack on a WordPress plugin 1-day

But the attacks on sites running the ThemeREX Addons plugin were not the only ones that have been spotted yesterday.

There was a second wave of attacks on WordPress sites. This second wave targeted sites running ThemeGrill Demo Importer, a plugin that ships with themes sold by ThemeGrill, another WordPress theme maker.

However, these attacks were destructive, rather than part of a cybercrime or botnet operation. According to WebARX and reports posted on Twitter, hackers used a bug in the ThemeGrill plugin to wipe databases and reset WordPress sites to their default states.

More than 200,000 WordPress sites are believed to run this ThemeGrill plugin. Further, in some rare circumstances, attackers could also take over vulnerable sites by hijacking their admin account.

These are so-called "1-day" attacks, a term used to describe attacks that take place immediately after a patch is provided for a vulnerability. ThemeGrill users can mitigate attacks by updating the vulnerable plugin.

On the other hand, the attacks on ThemeREX are so-called "zero-day" attacks as they exploit an unpatched bug for which there is no patch. As Wordfence recommended above, disabling this plugin until a patch is available is highly recommended.

What's in a name? These DevOps tools come with strange backstories

Editorial standards