Cybersecurity experts discovered active exploits against vulnerable WordPress sites running previously patched Thrive Themes and plugins.
On March 23, the Wordfence Threat Intelligence Team discovered attackers actively exploiting two recently patched vulnerabilities that affected Thrive Theme’s “Legacy” Themes and Thrive Theme plugins.
According to the Wordfence report, the actors chained together the vulnerabilities to upload arbitrary files on vulnerable WordPress sites without requiring any authentication.
“We estimate that more than 100,000 WordPress sites are using Thrive Theme products that may still be vulnerable,” Wordfence warned in the blog post.
Thrive Themes released patches for the vulnerable themes and plugins on March 12, 2021.
Chained vulnerabilities
The following Thrive Themes vulnerabilities were patched:
- Medium: Unauthenticated Option Update (affects all Thrive Theme Plugins and Themes)
- Critical: Unauthenticated Arbitrary File Upload and Option Deletion (All Thrive Themes Legacy Themes).
The first vulnerability is rated Medium severity and has a CVSS score of 5.8. In this case, the Thrive Dashboard integration with Zapier was insecurely implemented and vulnerable.
The second more severe vulnerability is rated Critical and has a CVSS score of 10.0. In this case, the Thrive Themes “Legacy” themes functionality for automatically compressing images during uploads was insecurely implemented and vulnerable. No CVE’s were yet assigned to each of the vulnerabilities at the date of the advisories.
As previously mentioned, the attackers chained separate exploits against these two vulnerabilities in order to gain access to vulnerable WordPress sites.