Zero-day vulnerability in WordPress ThemeREX addons plugin, replace as soon as possible

Written 3 months ago by IanDorfman

A zero-day vulnerability in ThemeREX Addons plugin for WordPress was discovered by Wordfence's Threat Intelligence team yesterday.

In Wordfence's report, it is detailed that the plugin is installed on approximated 44,000 sites. The vulnerability allows for remote code execution on any site with the plugin installed. This includes the ability to inject malicious code into administrative users that would give attackers unauthorized access.

The vulnerability is made possible due to the ThemeREX Addons plugin not verifying the administrative rights of a Small WordPress iconWordPress REST-API endpoint registration request. Wordfence notes that this is being actively exploited for attacks as severe as complete site hijacking by creating an administrative user using this unauthorized remote code execution.

Anyone using version 1.6.50 or later of the plugin is highly recommended to remove it from their WordPress instances until a fix is released. No timetable or plans for a fix from the development team has been announced at the time of this article.

Further coverage:
Wordfence
ZDNet