Patched vulnerabilities in a theme package created by Thrive Themes are under attack as we speak…err…type.
Based on reports from TechRadar, it is likely that over 100,000 installations of the themes are affected and are being strategized for attack by hackers.
As always, updating to the latest version of the themes are highly recommended, because they all contain patches for the latest vulnerabilities.
Wordfence strongly recommends that all users of the following themes upgrade to the latest versions:
- All Legacy Themes, including Rise, Ignition, and others | Version < 2.0.0
- Thrive Optimize | Version < 1.4.13.3
- Thrive Comments | Version < 1.4.15.3
- Thrive Headline Optimizer | Version < 1.3.7.3
- Thrive Themes Builder | Version < 2.2.4
- Thrive Leads Version | < 2.3.9.4
- Thrive Ultimatum Version | < 2.3.9.4
- Thrive Quiz Builder Version | < 2.3.9.4
- Thrive Apprentice | Version < 2.3.9.4
- Thrive Architect | Version < 2.6.7.4
- Thrive Dashboard | Version < 2.3.9.3
- Thrive Ovation | Version < 2.4.5
What Is Currently Affected?
Thrive Themes offers a nice benefit to its plugins, and that’s integration with Zapier. This integration allows one to automate processes.
The problem with this feature is that it was not implemented securely.
A REST API endpoint is used within Thrive Themes in order to associate them with functionality for Zapier. What is required by the endpoint for access is an API key.
The critical vulnerability here is that attackers could supply a blank api_key parameter if Zapier functionality was not enabled.
This resulted in a critical vulnerability where attackers can add whatever arbitrary data they wanted to any predefined option in the wp_options table.
Auto Image Compression Was Also Affected
One of the aspects of Thrive’s Legacy Themes that continues to be popular is the ability to compress images automatically while uploading.
Sadly, this aspect was not implemented securely either.
Here’s how it works: The Kraken.io image optimizer is used to create a REST API endpoint to compress images. Some attackers have devised methods in which they could use requests along with data added through an Option Update vulnerability, in order to get malicious code from an external URL.
This malicious code could allow attackers to overwrite any existing files or create a brand new file. Unfortunately, this also means that executable PHP files which have malicious code are included.
Why This Vulnerability Is So Serious
It’s possible to chain together multiple exploits so that you can take over ownership of a website. Wordfence reports that:
“We’ve seen cases in the past where attackers chain two separate exploits in order to gain access to a site and that was the case with this exploit.
Attackers are using the Unauthenticated Option Update vulnerability to update an option in the database that can then be used by the Unauthenticated Arbitrary File Upload vulnerability to upload a malicious PHP file. The combination of these two vulnerabilities is allowing attackers to gain backdoor access into vulnerable sites to further compromise them.”
This is why you must update your themes as soon as possible and make sure that you are not running any malicious software on your servers.
This way, at least you won’t unintentionally become an agent of chaos simply by clicking and running a file.
What Should You Do Next?
We highly recommend that you follow the recommended guidelines for updating these themes.
By doing so, you can avoid falling victim to attacks currently in progress.
Remember: An overly-cautious mindset is one of the best recipes for prevention! Being overly-cautious is better than finding out later that your site was compromised overnight.
Image Credit
Featured Image: LookerStudio / Mar 2021
