An error occurred in a WordPress plugin made by ThemeREX, a company that sells WordPress themes commercially. This error is exploited by hackers to carry out attacks. In particular, the attacks were detected by Wordfence, a company that provides one firewall for website (WAF) applications for WordPress websites, launched on February 18, 2020.
Hacker attacks are targeted at ThemeREX add-ons (ThemeREX Addons), a WordPress plugin that is pre-installed with all ThemeREX commercial themes. The role of the plugin is to help buyers of ThemeREX products create their new websites and control various features. Wordfence estimates that the plugin is installed on more than 44.000 sites.
According to toy security company WordPress, the plugin works by creating a WordPress REST-API endpoint, without however checking whether the commands sent to it API REST comes from authorized users, that is, the owner of the site.
This, according to Wordfence's threat analyst, Chloe Chamberland, means that remote code can be executed by any visitor, even by someone who is not certified on the site. At the same time, Chloe Chamberland stressed that the most worrying fact is that hackers are now able to create a new user manager that can be used to takeover the site. So the company urges users to temporarily remove ThemeREX Addons if a version better than 1.6.50 runs until a patch is released.
However, attacks were not only found on sites using ThemeREX Addons. Specifically, there were other attacks on WordPress websites that targeted websites running the ThemeGrill Demo Importer, a plugin that comes with themes sold by ThemeGrill, another WordPress themes creator. These attacks were devastating, as hackers exploited an error in the ThemeGrill plugin to delete databases and restore WordPress sites to their default settings.
More than 200.000 WordPress sites are estimated to run this ThemeGrill plugin. In addition, hackers could take over vulnerable websites by stealing their administrator account. These are the so-called "1 day" attacks, a term used for attacks that occur immediately after adding an update for an error. ThemeGrill users can mitigate the attacks by updating the vulnerable plugin.
Finally, ThemeREX attacks are the so-called "zero day" attacks as they take advantage of an inert error for which there is no patch. All that can be done is to disable this plugin until one is released patch.